Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER ENQIRY #093727664.exe

Overview

General Information

Sample name:ORDER ENQIRY #093727664.exe
Analysis ID:1590631
MD5:6c307da605db691944e35458f2a5b772
SHA1:b89158e370a8658cf3a6ed2bb78925e004034905
SHA256:f65ec81dc8f5d0a0a1f53752cdc2bb933e2897a91091f28b8d1702ffe207481c
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ORDER ENQIRY #093727664.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe" MD5: 6C307DA605DB691944E35458F2A5B772)
    • svchost.exe (PID: 7820 cmdline: "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cmd.exe (PID: 7896 cmdline: "C:\Windows\SysWOW64\cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • cmd.exe (PID: 7948 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • explorer.exe (PID: 5968 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
        • WerFault.exe (PID: 7520 cmdline: C:\Windows\system32\WerFault.exe -u -p 4056 -s 3612 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.radantobin.photography/g49t/"], "decoy": ["oast.now", "11av1805.xyz", "ourse.sale", "nfoaldyfbvmdgfat.buzz", "ntli.biz", "apidrotation.net", "ourmet94goodies.shop", "eeksee.fun", "aamahsa-emer6.rest", "he-eyeofgod.online", "ctofoot.net", "ellnessdigitalmedia.store", "0999yh.one", "inghoki88.pro", "sg.productions", "basicwardrobe.club", "itansofwisdom.fun", "leaning-services-46734.bond", "dinhk.online", "arcelaamiga.shop", "edicsanonymous.online", "potloans.live", "hermocontrol.xyz", "arehouse-inventory-93551.bond", "lockchain.xxx", "om-tarewo.icu", "ushmore.construction", "rombeyond.xyz", "epression-test-52238.bond", "oiyter.xyz", "etva.online", "arbiequiz.shop", "ransmediatupa.store", "erali.rest", "ox-packaging-jobs11.online", "ebastianschlosser.xyz", "hetrumpet.news", "sefiorella.online", "ifechanging.charity", "5q04.net", "jso.net", "uantuminternship.online", "bngy.shop", "rabul.xyz", "atxyzdes.live", "ewrefope.xyz", "dwardjrhuntley.online", "erfectescapes.vacations", "ntfqz.info", "linds-curtains-47952.bond", "nsidechina.online", "ickanddrive.online", "oisv.info", "irro.mobi", "eqiachat3.christmas", "hampioon-slotss.vin", "rilens.online", "ydhl.life", "ormuladedesconectar.shop", "epression-test-87609.bond", "asik-eye-surgery-90605.bond", "raveheart2.online", "tejarat.online", "raftmine.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a19:$sqlite3step: 68 34 1C 7B E1
          • 0x17b2c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a48:$sqlite3text: 68 38 2A 90 C5
          • 0x17b6d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 10 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe", CommandLine: "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe", CommandLine|base64offset|contains: E, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe", ParentImage: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe, ParentProcessId: 7756, ParentProcessName: ORDER ENQIRY #093727664.exe, ProcessCommandLine: "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe", ProcessId: 7820, ProcessName: svchost.exe
          Sigma detected: Proxy Execution Via Explorer.exe
          Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: explorer.exe, CommandLine: explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: "C:\Windows\SysWOW64\cmd.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7896, ParentProcessName: cmd.exe, ProcessCommandLine: explorer.exe, ProcessId: 5968, ProcessName: explorer.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe", CommandLine: "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe", CommandLine|base64offset|contains: E, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe", ParentImage: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe, ParentProcessId: 7756, ParentProcessName: ORDER ENQIRY #093727664.exe, ProcessCommandLine: "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe", ProcessId: 7820, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: ORDER ENQIRY #093727664.exeAvira: detected
          Found malware configuration
          Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.radantobin.photography/g49t/"], "decoy": ["oast.now", "11av1805.xyz", "ourse.sale", "nfoaldyfbvmdgfat.buzz", "ntli.biz", "apidrotation.net", "ourmet94goodies.shop", "eeksee.fun", "aamahsa-emer6.rest", "he-eyeofgod.online", "ctofoot.net", "ellnessdigitalmedia.store", "0999yh.one", "inghoki88.pro", "sg.productions", "basicwardrobe.club", "itansofwisdom.fun", "leaning-services-46734.bond", "dinhk.online", "arcelaamiga.shop", "edicsanonymous.online", "potloans.live", "hermocontrol.xyz", "arehouse-inventory-93551.bond", "lockchain.xxx", "om-tarewo.icu", "ushmore.construction", "rombeyond.xyz", "epression-test-52238.bond", "oiyter.xyz", "etva.online", "arbiequiz.shop", "ransmediatupa.store", "erali.rest", "ox-packaging-jobs11.online", "ebastianschlosser.xyz", "hetrumpet.news", "sefiorella.online", "ifechanging.charity", "5q04.net", "jso.net", "uantuminternship.online", "bngy.shop", "rabul.xyz", "atxyzdes.live", "ewrefope.xyz", "dwardjrhuntley.online", "erfectescapes.vacations", "ntfqz.info", "linds-curtains-47952.bond", "nsidechina.online", "ickanddrive.online", "oisv.info", "irro.mobi", "eqiachat3.christmas", "hampioon-slotss.vin", "rilens.online", "ydhl.life", "ormuladedesconectar.shop", "epression-test-87609.bond", "asik-eye-surgery-90605.bond", "raveheart2.online", "tejarat.online", "raftmine.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: ORDER ENQIRY #093727664.exeVirustotal: Detection: 43%Perma Link
          Source: ORDER ENQIRY #093727664.exeReversingLabs: Detection: 42%
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.3c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: ORDER ENQIRY #093727664.exeJoe Sandbox ML: detected
          Source: ORDER ENQIRY #093727664.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: ORDER ENQIRY #093727664.exe, 00000000.00000003.1374755177.0000000003640000.00000004.00001000.00020000.00000000.sdmp, ORDER ENQIRY #093727664.exe, 00000000.00000003.1371376355.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1445137068.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1445137068.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1375955576.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1382221669.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2737366808.0000000002F80000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2737366808.000000000311E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1444672233.0000000002C23000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1446535072.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: svchost.exe, 00000002.00000003.1444153418.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1443966435.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2679435681.0000000000410000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: ORDER ENQIRY #093727664.exe, 00000000.00000003.1374755177.0000000003640000.00000004.00001000.00020000.00000000.sdmp, ORDER ENQIRY #093727664.exe, 00000000.00000003.1371376355.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1445137068.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1445137068.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1375955576.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1382221669.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000004.00000002.2737366808.0000000002F80000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2737366808.000000000311E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1444672233.0000000002C23000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1446535072.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.2329407776.0000000010DFF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.2734085137.00000000029B5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2740662865.00000000034CF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2805189540.000000000A8BF000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: cmd.pdb source: svchost.exe, 00000002.00000003.1444153418.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1443966435.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000004.00000002.2679435681.0000000000410000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.2329407776.0000000010DFF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.2734085137.00000000029B5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2740662865.00000000034CF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2805189540.000000000A8BF000.00000004.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0069C2A2 FindFirstFileExW,0_2_0069C2A2
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D68EE FindFirstFileW,FindClose,0_2_006D68EE
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_006D698F
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006CD076
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006CD3A9
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006D9642
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006D979D
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_006D9B2B
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_006CDBBE
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_006D5C97
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0042589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,4_2_0042589A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00433E66 FindFirstFileW,FindNextFileW,FindClose,4_2_00433E66
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00420207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,4_2_00420207
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00424EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00424EC1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,4_2_0041532E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi2_2_003CE476
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi4_2_024AE476

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.radantobin.photography/g49t/
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006DCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_006DCE44
          Source: global trafficDNS traffic detected: DNS query: time.windows.com
          Source: global trafficDNS traffic detected: DNS query: www.potloans.live
          Source: global trafficDNS traffic detected: DNS query: www.erfectescapes.vacations
          Source: global trafficDNS traffic detected: DNS query: www.rilens.online
          Source: global trafficDNS traffic detected: DNS query: api.msn.com
          Source: global trafficDNS traffic detected: DNS query: www.ydhl.life
          Source: explorer.exe, 00000003.00000000.1387701317.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1391309639.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2318980424.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272503958.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2316722094.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272665489.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2376748203.0000000009B16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378903821.0000000009B0B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.0000000009AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000003.00000000.1387701317.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1391309639.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2318980424.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272503958.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2316722094.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272665489.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2376748203.0000000009B16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378903821.0000000009B0B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.0000000009AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 0000000D.00000003.2376748203.0000000009B16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/
          Source: explorer.exe, 00000003.00000000.1387701317.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1391309639.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2318980424.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272503958.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2316722094.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272665489.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378903821.0000000009B0B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.0000000009AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000000.1387701317.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1391309639.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2318980424.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272503958.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2316722094.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272665489.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378903821.0000000009B0B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.0000000009AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000003.00000002.2317848990.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2318369406.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2318340710.0000000008810000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aamahsa-emer6.rest
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aamahsa-emer6.rest/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aamahsa-emer6.rest/g49t/www.radantobin.photography
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aamahsa-emer6.rest/g49t/www.sg.productions
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aamahsa-emer6.restReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apidrotation.net
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apidrotation.net/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apidrotation.net/g49t/www.lockchain.xxx
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apidrotation.netReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arbiequiz.shop
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arbiequiz.shop/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arbiequiz.shop/g49t/www.aamahsa-emer6.rest
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arbiequiz.shop/g49t/www.oiyter.xyz
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arbiequiz.shopReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arcelaamiga.shop
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arcelaamiga.shop/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arcelaamiga.shop/g49t/www.itansofwisdom.fun
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arcelaamiga.shopReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arehouse-inventory-93551.bond
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arehouse-inventory-93551.bond/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arehouse-inventory-93551.bond/g49t/www.oiyter.xyz
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.arehouse-inventory-93551.bondReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asik-eye-surgery-90605.bond
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asik-eye-surgery-90605.bond/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asik-eye-surgery-90605.bond/g49t/www.ellnessdigitalmedia.store
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asik-eye-surgery-90605.bondReferer:
          Source: explorer.exe, 00000003.00000000.1397698717.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271667496.000000000C44D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebastianschlosser.xyz
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebastianschlosser.xyz/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebastianschlosser.xyz/g49t/www.aamahsa-emer6.rest
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebastianschlosser.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellnessdigitalmedia.store
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellnessdigitalmedia.store/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellnessdigitalmedia.store/g49t/www.ntli.biz
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellnessdigitalmedia.storeReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.epression-test-87609.bond
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.epression-test-87609.bond/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.epression-test-87609.bond/g49t/www.ox-packaging-jobs11.online
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.epression-test-87609.bondReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eqiachat3.christmas
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eqiachat3.christmas/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eqiachat3.christmas/g49t/www.arbiequiz.shop
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eqiachat3.christmasReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.erfectescapes.vacations
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.erfectescapes.vacations/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.erfectescapes.vacations/g49t/www.rilens.online
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.erfectescapes.vacationsReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ewrefope.xyz
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ewrefope.xyz/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ewrefope.xyz/g49t/www.arehouse-inventory-93551.bond
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ewrefope.xyzReferer:
          Source: explorer.exe, 00000003.00000000.1387701317.00000000071B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.he-eyeofgod.online
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.he-eyeofgod.online/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.he-eyeofgod.online/g49t/www.eqiachat3.christmas
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.he-eyeofgod.onlineReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hermocontrol.xyz
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hermocontrol.xyz/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hermocontrol.xyz/g49t/www.arbiequiz.shop
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hermocontrol.xyzReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itansofwisdom.fun
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itansofwisdom.fun/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itansofwisdom.fun/g49t/www.oisv.info
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itansofwisdom.funReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lockchain.xxx
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lockchain.xxx/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lockchain.xxx/g49t/%&;
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lockchain.xxxReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntli.biz
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntli.biz/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntli.biz/g49t/www.he-eyeofgod.online
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntli.bizReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oisv.info
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oisv.info/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oisv.info/g49t/www.ransmediatupa.store
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oisv.infoReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oiyter.xyz
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oiyter.xyz/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oiyter.xyz/g49t/www.apidrotation.net
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oiyter.xyz/g49t/www.erfectescapes.vacations
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oiyter.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.om-tarewo.icu
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.om-tarewo.icu/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.om-tarewo.icu/g49t/www.asik-eye-surgery-90605.bond
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.om-tarewo.icuReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ox-packaging-jobs11.online
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ox-packaging-jobs11.online/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ox-packaging-jobs11.online/g49t/www.arcelaamiga.shop
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ox-packaging-jobs11.onlineReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.potloans.live
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.potloans.live/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.potloans.live/g49t/www.erfectescapes.vacations
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.potloans.liveReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.radantobin.photography
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.radantobin.photography/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.radantobin.photography/g49t/www.hermocontrol.xyz
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.radantobin.photography/g49t/www.om-tarewo.icu
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.radantobin.photographyReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ransmediatupa.store
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ransmediatupa.store/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ransmediatupa.store/g49t/www.ewrefope.xyz
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ransmediatupa.storeReferer:
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rilens.online
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rilens.online/g49t/
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rilens.online/g49t/www.ebastianschlosser.xyz
          Source: explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rilens.onlineReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sg.productions
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sg.productions/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sg.productions/g49t/www.epression-test-87609.bond
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sg.productionsReferer:
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ydhl.life
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ydhl.life/g49t/
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ydhl.life/g49t/www.radantobin.photography
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ydhl.lifeReferer:
          Source: explorer.exe, 00000003.00000000.1391309639.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2318980424.0000000008F83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 00000003.00000003.2272744772.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2319828529.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1391309639.000000000913F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000002.2318980424.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2383960310.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2449470383.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2376748203.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.00000000099F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378903821.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374714058.00000000099DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 0000000D.00000003.2383960310.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2449470383.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2376748203.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.00000000099F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378903821.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374714058.00000000099DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/7
          Source: explorer.exe, 0000000D.00000003.2378711157.0000000009936000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000000.1391309639.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2318980424.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 0000000D.00000003.2383960310.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2449470383.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2376748203.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.00000000099F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378903821.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374714058.00000000099DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?0
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2383960310.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2449470383.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2376748203.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.00000000099F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378903821.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374714058.00000000099DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000003.00000002.2315639009.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.0000000007276000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
          Source: explorer.exe, 00000003.00000002.2318980424.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1391309639.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 0000000D.00000003.2482267354.0000000009911000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2449470383.0000000009912000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.0000000009939000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384667501.0000000009939000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374714058.0000000009928000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.0000000009912000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378711157.0000000009936000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comT
          Source: explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
          Source: explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm
          Source: explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm-dark
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-dark
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2C0
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2C0-dark
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
          Source: explorer.exe, 0000000D.00000002.2763729217.00000000085A0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: explorer.exe, 00000003.00000000.1397698717.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2324204599.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.0000000009BB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374178185.0000000009BB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12I8qo.img
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAQk7ql.img
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1d0ujS.img
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
          Source: explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBUvpML.img
          Source: explorer.exe, 00000003.00000000.1397698717.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2324204599.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.0000000009BB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374178185.0000000009BB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000003.00000000.1397698717.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2324204599.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374178185.0000000009BB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000000.1391309639.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
          Source: explorer.exe, 00000003.00000000.1397698717.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2324204599.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 0000000D.00000003.2397385085.0000000009BB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374178185.0000000009BB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.office.com8X
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-u
          Source: explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/the-syrupy-ingredient-that-totally-enhances-oatmeal-r
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
          Source: explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/gop-leadership-boots-another-top-democrat-from-capitol-offic
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/judge-erupts-at-trump-s-lawyers-for-wasting-time-with-ridicu
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
          Source: explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
          Source: explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/heatwave-alert-expect-the-hottest-day-in-california-thi
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
          Source: explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
          Source: explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000003.00000000.1387701317.00000000071B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006DEAFF
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_006DED6A
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006DEAFF
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_006CAA57
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_006F9576

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.3c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: ORDER ENQIRY #093727664.exe PID: 7756, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 7820, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cmd.exe PID: 7896, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: ORDER ENQIRY #093727664.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: ORDER ENQIRY #093727664.exe, 00000000.00000000.1360437934.0000000000722000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_88d7133f-b
          Source: ORDER ENQIRY #093727664.exe, 00000000.00000000.1360437934.0000000000722000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_69ada745-f
          Source: ORDER ENQIRY #093727664.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8a77c622-8
          Source: ORDER ENQIRY #093727664.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_01b248e3-8
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: ORDER ENQIRY #093727664.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03072BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,LdrInitializeThunk,2_2_03072AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,LdrInitializeThunk,2_2_03072F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03072F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,LdrInitializeThunk,2_2_03072FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,LdrInitializeThunk,2_2_03072FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_03072E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03072EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,LdrInitializeThunk,2_2_03072D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_03072D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,LdrInitializeThunk,2_2_03072DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_03072CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,2_2_03072C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,2_2_030735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DA330 NtCreateFile,2_2_003DA330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DA3E0 NtReadFile,2_2_003DA3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DA460 NtClose,2_2_003DA460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DA510 NtAllocateVirtualMemory,2_2_003DA510
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DA32A NtCreateFile,2_2_003DA32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,2_2_0354A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354A042 NtQueryInformationProcess,2_2_0354A042
          Source: C:\Windows\explorer.exeCode function: 3_2_101FAE12 NtProtectVirtualMemory,3_2_101FAE12
          Source: C:\Windows\explorer.exeCode function: 3_2_101F9232 NtCreateFile,3_2_101F9232
          Source: C:\Windows\explorer.exeCode function: 3_2_101FAE0A NtProtectVirtualMemory,3_2_101FAE0A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00437460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,4_2_00437460
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00424823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,4_2_00424823
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0042643A NtOpenThreadToken,NtOpenProcessToken,NtClose,4_2_0042643A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_004264CA NtQueryInformationToken,4_2_004264CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00426500 NtQueryInformationToken,NtQueryInformationToken,4_2_00426500
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0043A135 NtSetInformationFile,4_2_0043A135
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0043C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,4_2_0043C1FA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00414E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,4_2_00414E3B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00424759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,4_2_00424759
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2AD0 NtReadFile,LdrInitializeThunk,4_2_02FF2AD0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2B60 NtClose,LdrInitializeThunk,4_2_02FF2B60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_02FF2EA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2FE0 NtCreateFile,LdrInitializeThunk,4_2_02FF2FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2F30 NtCreateSection,LdrInitializeThunk,4_2_02FF2F30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_02FF2CA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02FF2C70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2C60 NtCreateKey,LdrInitializeThunk,4_2_02FF2C60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_02FF2DF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2DD0 NtDelayExecution,LdrInitializeThunk,4_2_02FF2DD0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_02FF2D10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF35C0 NtCreateMutant,LdrInitializeThunk,4_2_02FF35C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF4340 NtSetContextThread,4_2_02FF4340
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF4650 NtSuspendThread,4_2_02FF4650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2AF0 NtWriteFile,4_2_02FF2AF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2AB0 NtWaitForSingleObject,4_2_02FF2AB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2BF0 NtAllocateVirtualMemory,4_2_02FF2BF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2BE0 NtQueryValueKey,4_2_02FF2BE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2BA0 NtEnumerateValueKey,4_2_02FF2BA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2B80 NtQueryInformationFile,4_2_02FF2B80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2EE0 NtQueueApcThread,4_2_02FF2EE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2E80 NtReadVirtualMemory,4_2_02FF2E80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2E30 NtWriteVirtualMemory,4_2_02FF2E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2FB0 NtResumeThread,4_2_02FF2FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2FA0 NtQuerySection,4_2_02FF2FA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2F90 NtProtectVirtualMemory,4_2_02FF2F90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2F60 NtCreateProcessEx,4_2_02FF2F60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2CF0 NtOpenProcess,4_2_02FF2CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2CC0 NtQueryVirtualMemory,4_2_02FF2CC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2C00 NtQueryInformationProcess,4_2_02FF2C00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2DB0 NtEnumerateKey,4_2_02FF2DB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2D30 NtUnmapViewOfSection,4_2_02FF2D30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF2D00 NtSetInformationFile,4_2_02FF2D00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF3090 NtSetValueKey,4_2_02FF3090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF3010 NtOpenDirectoryObject,4_2_02FF3010
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF39B0 NtGetContextThread,4_2_02FF39B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF3D70 NtOpenThread,4_2_02FF3D70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF3D10 NtOpenProcessToken,4_2_02FF3D10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024BA330 NtCreateFile,4_2_024BA330
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024BA3E0 NtReadFile,4_2_024BA3E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024BA460 NtClose,4_2_024BA460
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024BA32A NtCreateFile,4_2_024BA32A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DC9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,4_2_02DC9BAF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DCA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,4_2_02DCA036
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DC9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_02DC9BB2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DCA042 NtQueryInformationProcess,4_2_02DCA042
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006CD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_006CD5EB
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006C1201
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_006CE8F6
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006680600_2_00668060
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D20460_2_006D2046
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006C82980_2_006C8298
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0069E4FF0_2_0069E4FF
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0069676B0_2_0069676B
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006F48730_2_006F4873
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0066CAF00_2_0066CAF0
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0068CAA00_2_0068CAA0
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0067CC390_2_0067CC39
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00696DD90_2_00696DD9
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0067D0640_2_0067D064
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0067B1190_2_0067B119
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006691C00_2_006691C0
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006813940_2_00681394
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006817060_2_00681706
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0068781B0_2_0068781B
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0067997D0_2_0067997D
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006679200_2_00667920
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006819B00_2_006819B0
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00687A4A0_2_00687A4A
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00681C770_2_00681C77
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00687CA70_2_00687CA7
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006EBE440_2_006EBE44
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00699EEE0_2_00699EEE
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0066BF400_2_0066BF40
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00681F320_2_00681F32
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00CB61980_2_00CB6198
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F41A22_2_030F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E44202_2_030E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E2F302_2_030E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DCD1F2_2_030DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030856302_2_03085630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031095C32_2_031095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E1AA32_2_030E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DE5252_2_003DE525
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DE7962_2_003DE796
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003C2D902_2_003C2D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003C2D892_2_003C2D89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003C2FB02_2_003C2FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003C10302_2_003C1030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003C12082_2_003C1208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DD8842_2_003DD884
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DDBA32_2_003DDBA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003C9E602_2_003C9E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003C9E5D2_2_003C9E5D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354A0362_2_0354A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354B2322_2_0354B232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035410822_2_03541082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E5CD2_2_0354E5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03545B302_2_03545B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03545B322_2_03545B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035489122_2_03548912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03542D022_2_03542D02
          Source: C:\Windows\explorer.exeCode function: 3_2_101F92323_2_101F9232
          Source: C:\Windows\explorer.exeCode function: 3_2_101F80363_2_101F8036
          Source: C:\Windows\explorer.exeCode function: 3_2_101EF0823_2_101EF082
          Source: C:\Windows\explorer.exeCode function: 3_2_101F69123_2_101F6912
          Source: C:\Windows\explorer.exeCode function: 3_2_101F0D023_2_101F0D02
          Source: C:\Windows\explorer.exeCode function: 3_2_101F3B323_2_101F3B32
          Source: C:\Windows\explorer.exeCode function: 3_2_101F3B303_2_101F3B30
          Source: C:\Windows\explorer.exeCode function: 3_2_101FC5CD3_2_101FC5CD
          Source: C:\Windows\explorer.exeCode function: 3_2_106840363_2_10684036
          Source: C:\Windows\explorer.exeCode function: 3_2_1067B0823_2_1067B082
          Source: C:\Windows\explorer.exeCode function: 3_2_1067CD023_2_1067CD02
          Source: C:\Windows\explorer.exeCode function: 3_2_106829123_2_10682912
          Source: C:\Windows\explorer.exeCode function: 3_2_106885CD3_2_106885CD
          Source: C:\Windows\explorer.exeCode function: 3_2_106852323_2_10685232
          Source: C:\Windows\explorer.exeCode function: 3_2_1067FB323_2_1067FB32
          Source: C:\Windows\explorer.exeCode function: 3_2_1067FB303_2_1067FB30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_004248754_2_00424875
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041540A4_2_0041540A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00414C104_2_00414C10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_004174B14_2_004174B1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_004191444_2_00419144
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0043695A4_2_0043695A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_004341914_2_00434191
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00416E574_2_00416E57
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041D6604_2_0041D660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00433E664_2_00433E66
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041EE034_2_0041EE03
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00417A344_2_00417A34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00424EC14_2_00424EC1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00425A864_2_00425A86
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0043769E4_2_0043769E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00423EB34_2_00423EB3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_004207404_2_00420740
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00416B204_2_00416B20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00420BF04_2_00420BF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307A3524_2_0307A352
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030803E64_2_030803E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FCE3F04_2_02FCE3F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030602744_2_03060274
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030402C04_2_030402C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0305A1184_2_0305A118
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030481584_2_03048158
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030801AA4_2_030801AA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030741A24_2_030741A2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030781CC4_2_030781CC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030520004_2_03052000
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FB01004_2_02FB0100
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FDC6E04_2_02FDC6E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FBC7C04_2_02FBC7C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC07704_2_02FC0770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FE47504_2_02FE4750
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030805914_2_03080591
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030644204_2_03064420
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030724464_2_03072446
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC05354_2_02FC0535
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0306E4F64_2_0306E4F6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307AB404_2_0307AB40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FBEA804_2_02FBEA80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03076BD74_2_03076BD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FEE8F04_2_02FEE8F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FA68B84_2_02FA68B8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0308A9A64_2_0308A9A6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FCA8404_2_02FCA840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC28404_2_02FC2840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC29A04_2_02FC29A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD69624_2_02FD6962
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03002F284_2_03002F28
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03062F304_2_03062F30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03034F404_2_03034F40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD2E904_2_02FD2E90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0303EFA04_2_0303EFA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC0E594_2_02FC0E59
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FCCFE04_2_02FCCFE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307EE264_2_0307EE26
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FB2FC84_2_02FB2FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307CE934_2_0307CE93
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FE0F304_2_02FE0F30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307EEDB4_2_0307EEDB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FB0CF24_2_02FB0CF2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0305CD1F4_2_0305CD1F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC0C004_2_02FC0C00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FBADE04_2_02FBADE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD8DBF4_2_02FD8DBF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03060CB54_2_03060CB5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FCAD004_2_02FCAD00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307132D4_2_0307132D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FDB2C04_2_02FDB2C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC52A04_2_02FC52A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0300739A4_2_0300739A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FAD34C4_2_02FAD34C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030612ED4_2_030612ED
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC70C04_2_02FC70C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0308B16B4_2_0308B16B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FCB1B04_2_02FCB1B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FAF1724_2_02FAF172
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FF516C4_2_02FF516C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0306F0CC4_2_0306F0CC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307F0E04_2_0307F0E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030770E94_2_030770E9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307F7B04_2_0307F7B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030056304_2_03005630
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030716CC4_2_030716CC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030775714_2_03077571
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FB14604_2_02FB1460
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0305D5B04_2_0305D5B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030895C34_2_030895C3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307F43F4_2_0307F43F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307FB764_2_0307FB76
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03035BF04_2_03035BF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FFDBF94_2_02FFDBF9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03077A464_2_03077A46
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307FA494_2_0307FA49
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03033A6C4_2_03033A6C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FDFB804_2_02FDFB80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03005AA04_2_03005AA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03061AA34_2_03061AA3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0305DAAC4_2_0305DAAC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0306DAC64_2_0306DAC6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030559104_2_03055910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC38E04_2_02FC38E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0302D8004_2_0302D800
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC99504_2_02FC9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FDB9504_2_02FDB950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307FF094_2_0307FF09
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC9EB04_2_02FC9EB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307FFB14_2_0307FFB1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F83FD24_2_02F83FD2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F83FD54_2_02F83FD5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC1F924_2_02FC1F92
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03071D5A4_2_03071D5A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03077D734_2_03077D73
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03039C324_2_03039C32
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FDFDC04_2_02FDFDC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC3D404_2_02FC3D40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0307FCF24_2_0307FCF2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024BE7964_2_024BE796
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024BE5254_2_024BE525
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024BDBA34_2_024BDBA3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024BD8834_2_024BD883
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024A9E5D4_2_024A9E5D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024A9E604_2_024A9E60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024A2FB04_2_024A2FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024A2D894_2_024A2D89
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_024A2D904_2_024A2D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DCA0364_2_02DCA036
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DCB2324_2_02DCB232
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DC5B304_2_02DC5B30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DC5B324_2_02DC5B32
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DC10824_2_02DC1082
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DC89124_2_02DC8912
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DCE5CD4_2_02DCE5CD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02DC2D024_2_02DC2D02
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 277 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 111 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0302EA12 appears 86 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 02FAB970 appears 277 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03007E54 appears 111 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 02FF5130 appears 58 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0303F290 appears 105 times
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: String function: 00669CB3 appears 31 times
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: String function: 00680A30 appears 46 times
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: String function: 0067F9F2 appears 40 times
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4056 -s 3612
          Source: ORDER ENQIRY #093727664.exe, 00000000.00000003.1374050247.0000000003763000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ORDER ENQIRY #093727664.exe
          Source: ORDER ENQIRY #093727664.exe, 00000000.00000003.1374345990.000000000390D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ORDER ENQIRY #093727664.exe
          Source: ORDER ENQIRY #093727664.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: ORDER ENQIRY #093727664.exe PID: 7756, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 7820, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cmd.exe PID: 7896, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/8@6/0
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D37B5 GetLastError,FormatMessageW,0_2_006D37B5
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006C10BF AdjustTokenPrivileges,CloseHandle,0_2_006C10BF
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_006C16C3
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006D51CD
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006EA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_006EA67C
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_006D648E
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_006642A2
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.dbJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4056
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeFile created: C:\Users\user~1\AppData\Local\Temp\electicismJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\explorer.exe
          Source: ORDER ENQIRY #093727664.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: ORDER ENQIRY #093727664.exeVirustotal: Detection: 43%
          Source: ORDER ENQIRY #093727664.exeReversingLabs: Detection: 42%
          Source: unknownProcess created: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe"
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4056 -s 3612
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: applicationframe.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: npsm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mscms.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: tdh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rtworkq.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: daxexec.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: container.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uiautomationcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: batmeter.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: inputswitch.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: prnfldr.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wpnclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: shdocvw.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: syncreg.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: audioses.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: actioncenter.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dusmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncsi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscobj.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srchadmin.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: synccenter.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: imapi2.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ieproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: storageusage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: settingsync.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: ORDER ENQIRY #093727664.exeStatic file information: File size 1384448 > 1048576
          Source: ORDER ENQIRY #093727664.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: ORDER ENQIRY #093727664.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: ORDER ENQIRY #093727664.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: ORDER ENQIRY #093727664.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: ORDER ENQIRY #093727664.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: ORDER ENQIRY #093727664.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: ORDER ENQIRY #093727664.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: ORDER ENQIRY #093727664.exe, 00000000.00000003.1374755177.0000000003640000.00000004.00001000.00020000.00000000.sdmp, ORDER ENQIRY #093727664.exe, 00000000.00000003.1371376355.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1445137068.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1445137068.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1375955576.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1382221669.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2737366808.0000000002F80000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2737366808.000000000311E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1444672233.0000000002C23000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1446535072.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: svchost.exe, 00000002.00000003.1444153418.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1443966435.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2679435681.0000000000410000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: ORDER ENQIRY #093727664.exe, 00000000.00000003.1374755177.0000000003640000.00000004.00001000.00020000.00000000.sdmp, ORDER ENQIRY #093727664.exe, 00000000.00000003.1371376355.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1445137068.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1445137068.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1375955576.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1382221669.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000004.00000002.2737366808.0000000002F80000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2737366808.000000000311E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1444672233.0000000002C23000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1446535072.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.2329407776.0000000010DFF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.2734085137.00000000029B5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2740662865.00000000034CF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2805189540.000000000A8BF000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: cmd.pdb source: svchost.exe, 00000002.00000003.1444153418.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1443966435.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000004.00000002.2679435681.0000000000410000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.2329407776.0000000010DFF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.2734085137.00000000029B5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2740662865.00000000034CF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2805189540.000000000A8BF000.00000004.80000000.00040000.00000000.sdmp
          Source: ORDER ENQIRY #093727664.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: ORDER ENQIRY #093727664.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: ORDER ENQIRY #093727664.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: ORDER ENQIRY #093727664.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: ORDER ENQIRY #093727664.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006642DE
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006AE859 push 00000000h; ret 0_2_006AE8FD
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006AE8FF push 00000000h; ret 0_2_006AE901
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00680A76 push ecx; ret 0_2_00680A89
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0066900A push 00000000h; iretd 0_2_0066900C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003D6579 push FFFFFFF0h; ret 2_2_003D657C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003D65BD push eax; iretd 2_2_003D65D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003C46C6 push ebx; ret 2_2_003C46CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003D6750 push eax; retf 2_2_003D6751
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003CB418 push ds; ret 2_2_003CB419
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DD485 push eax; ret 2_2_003DD4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DD4DB push eax; ret 2_2_003DD542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DD4D2 push eax; ret 2_2_003DD4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DD53C push eax; ret 2_2_003DD542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003DD569 push eax; ret 2_2_003DD542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003D9C13 push FFFFFF87h; ret 2_2_003D9C1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354EB1E push esp; retn 0000h2_2_0354EB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354EB02 push esp; retn 0000h2_2_0354EB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E9B5 push esp; retn 0000h2_2_0354EAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_101FCB1E push esp; retn 0000h3_2_101FCB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_101FCB02 push esp; retn 0000h3_2_101FCB03
          Source: C:\Windows\explorer.exeCode function: 3_2_101FC9B5 push esp; retn 0000h3_2_101FCAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_106889B5 push esp; retn 0000h3_2_10688AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10688B02 push esp; retn 0000h3_2_10688B03
          Source: C:\Windows\explorer.exeCode function: 3_2_10688B1E push esp; retn 0000h3_2_10688B1F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_004271ED push ecx; ret 4_2_00427200
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0042722B push ecx; ret 4_2_0042723E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F8225F pushad ; ret 4_2_02F827F9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F827FA pushad ; ret 4_2_02F827F9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F8283D push eax; iretd 4_2_02F82858
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FB09AD push ecx; mov dword ptr [esp], ecx4_2_02FB09B6
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0067F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0067F98E
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_006F1C41
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95859
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeAPI/Special instruction interceptor: Address: CB5DBC
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFB2CED0774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFB2CECD8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFB2CED0774
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFB2CECD8A4
          Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 3C9904 second address: 3C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 3C9B7E second address: 3C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 24A9904 second address: 24A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 24A9B7E second address: 24A9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9722Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 903Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 851Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 3200Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 6771Jump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeAPI coverage: 3.4 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.0 %
          Source: C:\Windows\SysWOW64\cmd.exeAPI coverage: 1.0 %
          Source: C:\Windows\explorer.exe TID: 8168Thread sleep count: 9722 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 8168Thread sleep time: -19444000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 8168Thread sleep count: 220 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 8168Thread sleep time: -440000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 8024Thread sleep count: 3200 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 8024Thread sleep time: -6400000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 8024Thread sleep count: 6771 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 8024Thread sleep time: -13542000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0069C2A2 FindFirstFileExW,0_2_0069C2A2
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D68EE FindFirstFileW,FindClose,0_2_006D68EE
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_006D698F
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006CD076
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006CD3A9
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006D9642
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006D979D
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_006D9B2B
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_006CDBBE
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_006D5C97
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0042589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,4_2_0042589A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00433E66 FindFirstFileW,FindNextFileW,FindClose,4_2_00433E66
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00420207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,4_2_00420207
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00424EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00424EC1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,4_2_0041532E
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006642DE
          Source: explorer.exe, 00000003.00000002.2312204594.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
          Source: explorer.exe, 0000000D.00000003.2433516442.0000000009C1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 0000000D.00000003.2433516442.0000000009C1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\cSlxmZKfZsPklGRAvJyjrhPrSNDwGpnbFeudCfckgDDSPw
          Source: explorer.exe, 00000003.00000000.1386151526.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 0000000D.00000002.2672610852.00000000010D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 h
          Source: explorer.exe, 0000000D.00000003.2433516442.0000000009CA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}dll
          Source: explorer.exe, 0000000D.00000003.2482267354.0000000009911000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2449470383.0000000009912000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.0000000009939000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384667501.0000000009939000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374714058.0000000009928000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.0000000009912000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378711157.0000000009936000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW\user
          Source: explorer.exe, 00000003.00000000.1391309639.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 0000000D.00000003.2433516442.0000000009C1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00j
          Source: explorer.exe, 0000000D.00000003.2446428012.000000000C7E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_pg
          Source: explorer.exe, 0000000D.00000003.2433516442.0000000009CA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\281
          Source: explorer.exe, 00000003.00000002.2318980424.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1391309639.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2385661594.0000000009B46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374714058.0000000009B40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378524181.0000000009B44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.0000000009B40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.0000000009B40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2383960310.0000000009B40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2383080972.0000000009B40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.0000000009B40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384738063.0000000009B46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000000.1386151526.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
          Source: explorer.exe, 0000000D.00000002.2764027804.00000000099D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.1386151526.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
          Source: explorer.exe, 0000000D.00000003.2449285564.000000000C953000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&
          Source: explorer.exe, 00000003.00000000.1386151526.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000003.00000003.2272665489.000000000730A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_xU1
          Source: explorer.exe, 0000000D.00000003.2439478215.000000000C8ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 0000000D.00000003.2439478215.000000000C8ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000*e
          Source: explorer.exe, 0000000D.00000003.2433516442.0000000009CA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e\
          Source: explorer.exe, 00000003.00000000.1391309639.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000003.00000000.1391309639.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
          Source: explorer.exe, 00000003.00000003.2273084852.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C813000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000000D.00000003.2482267354.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2376748203.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.0000000009AF3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`x
          Source: explorer.exe, 0000000D.00000003.2433516442.0000000009CA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 0000000D.00000003.2374714058.00000000099DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
          Source: explorer.exe, 00000003.00000002.2318980424.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1391309639.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
          Source: explorer.exe, 0000000D.00000003.2397385085.0000000009B90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 00000003.00000000.1386151526.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware20,1
          Source: explorer.exe, 00000003.00000000.1386151526.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
          Source: explorer.exe, 00000003.00000000.1391309639.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMWare
          Source: explorer.exe, 00000003.00000003.2273084852.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
          Source: explorer.exe, 00000003.00000003.2272665489.000000000730A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000003.00000002.2318980424.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1391309639.0000000008F27000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT`
          Source: explorer.exe, 00000003.00000000.1386151526.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
          Source: explorer.exe, 00000003.00000000.1386151526.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
          Source: explorer.exe, 0000000D.00000003.2433516442.0000000009CA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}exe
          Source: explorer.exe, 0000000D.00000003.2439478215.000000000C8ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000`
          Source: explorer.exe, 0000000D.00000002.2764027804.00000000099D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}r
          Source: explorer.exe, 00000003.00000000.1386151526.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
          Source: explorer.exe, 0000000D.00000002.2672610852.00000000010D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 0000000D.00000003.2482267354.0000000009B89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.2312204594.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\explorer.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\explorer.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006DEAA2 BlockInput,0_2_006DEAA2
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00692622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00692622
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006642DE
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00684CE8 mov eax, dword ptr fs:[00000030h]0_2_00684CE8
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00CB6088 mov eax, dword ptr fs:[00000030h]0_2_00CB6088
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00CB6028 mov eax, dword ptr fs:[00000030h]0_2_00CB6028
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00CB49E8 mov eax, dword ptr fs:[00000030h]0_2_00CB49E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov ecx, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]2_2_030D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310634F mov eax, dword ptr fs:[00000030h]2_2_0310634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310625D mov eax, dword ptr fs:[00000030h]2_2_0310625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031062D6 mov eax, dword ptr fs:[00000030h]2_2_031062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030280A0 mov eax, dword ptr fs:[00000030h]2_2_030280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]2_2_030E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]2_2_030EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]2_2_030EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]2_2_03104B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028B50 mov eax, dword ptr fs:[00000030h]2_2_03028B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]2_2_030DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]2_2_030DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]2_2_03104940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_006C0B62
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00692622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00692622
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0068083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0068083F
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006809D5 SetUnhandledExceptionFilter,0_2_006809D5
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00680C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00680C21
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00426EC0 SetUnhandledExceptionFilter,4_2_00426EC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00426B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00426B40

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 4056Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 4056Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 5968Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 410000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4A2008Jump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006C1201
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006A2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_006A2BA5
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006CB226 SendInput,keybd_event,0_2_006CB226
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_006E22DA
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_006C0B62
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_006C1663
          Source: ORDER ENQIRY #093727664.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: ORDER ENQIRY #093727664.exe, explorer.exe, 00000003.00000002.2315520391.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2319828529.000000000901F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2273084852.000000000901E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.1385680037.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2672610852.00000000010D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.1385680037.0000000001440000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
          Source: explorer.exe, 00000003.00000000.1384998039.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312204594.0000000000C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman
          Source: explorer.exe, 00000003.00000000.1385680037.0000000001440000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000D.00000003.2320107660.0000000007B2B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2321597213.0000000007B4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndr
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_00680698 cpuid 0_2_00680698
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,4_2_00416854
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,4_2_00418572
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,4_2_00419310
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006D8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_006D8195
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006BD27A GetUserNameW,0_2_006BD27A
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_0069B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0069B952
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006642DE
          Source: explorer.exe, 0000000D.00000002.2955115782.000000000C797000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.3c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: ORDER ENQIRY #093727664.exeBinary or memory string: WIN_81
          Source: ORDER ENQIRY #093727664.exeBinary or memory string: WIN_XP
          Source: ORDER ENQIRY #093727664.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: ORDER ENQIRY #093727664.exeBinary or memory string: WIN_XPe
          Source: ORDER ENQIRY #093727664.exeBinary or memory string: WIN_VISTA
          Source: ORDER ENQIRY #093727664.exeBinary or memory string: WIN_7
          Source: ORDER ENQIRY #093727664.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.3c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ORDER ENQIRY #093727664.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_006E1204
          Source: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exeCode function: 0_2_006E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_006E1806

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		3
          Obfuscated Files or Information          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS225
          System Information Discovery          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
          Process Injection          		1
          Masquerading          		LSA Secrets461
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Valid Accounts          		Cached Domain Credentials23
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items23
          Virtualization/Sandbox Evasion          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
          Access Token Manipulation          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt512
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590631 Sample: ORDER ENQIRY #093727664.exe Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 31 www.ydhl.life 2->31 33 www.rilens.online 2->33 35 6 other IPs or domains 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 9 other signatures 2->43 11 ORDER ENQIRY #093727664.exe 1 2->11         started        signatures3 process4 signatures5 55 Binary is likely a compiled AutoIt script file 11->55 57 Writes to foreign memory regions 11->57 59 Maps a DLL or memory area into another process 11->59 14 svchost.exe 11->14         started        process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 3 other signatures 14->67 17 explorer.exe 24 1 14->17 injected process8 process9 19 cmd.exe 17->19         started        22 WerFault.exe 21 17->22         started        signatures10 45 Modifies the context of a thread in another process (thread injection) 19->45 47 Maps a DLL or memory area into another process 19->47 49 Tries to detect virtualization through RDTSC time measurements 19->49 51 Switches to a custom stack to bypass stack traces 19->51 24 explorer.exe 19 130 19->24         started        27 cmd.exe 1 19->27         started        process11 signatures12 53 Query firmware table information (likely to detect VMs) 24->53 29 conhost.exe 27->29         started        process13

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ORDER ENQIRY #093727664.exe43%VirustotalBrowse
          ORDER ENQIRY #093727664.exe42%ReversingLabsWin32.Trojan.Leonem
          ORDER ENQIRY #093727664.exe100%AviraDR/AutoIt.Gen8
          ORDER ENQIRY #093727664.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.ellnessdigitalmedia.storeReferer:0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm-dark0%Avira URL Cloudsafe
          http://www.ewrefope.xyz/g49t/0%Avira URL Cloudsafe
          http://www.aamahsa-emer6.rest/g49t/www.radantobin.photography0%Avira URL Cloudsafe
          http://www.erfectescapes.vacations0%Avira URL Cloudsafe
          http://www.oisv.infoReferer:0%Avira URL Cloudsafe
          http://www.ransmediatupa.storeReferer:0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-dark0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2C0-dark0%Avira URL Cloudsafe
          http://www.ebastianschlosser.xyzReferer:0%Avira URL Cloudsafe
          http://www.ntli.biz/g49t/0%Avira URL Cloudsafe
          http://www.itansofwisdom.fun/g49t/0%Avira URL Cloudsafe
          http://www.ewrefope.xyzReferer:0%Avira URL Cloudsafe
          http://www.ransmediatupa.store/g49t/www.ewrefope.xyz0%Avira URL Cloudsafe
          http://www.ox-packaging-jobs11.online0%Avira URL Cloudsafe
          http://www.oisv.info0%Avira URL Cloudsafe
          http://www.hermocontrol.xyz/g49t/www.arbiequiz.shop0%Avira URL Cloudsafe
          http://www.eqiachat3.christmas0%Avira URL Cloudsafe
          http://www.epression-test-87609.bondReferer:0%Avira URL Cloudsafe
          http://www.apidrotation.net/g49t/www.lockchain.xxx0%Avira URL Cloudsafe
          http://www.oisv.info/g49t/0%Avira URL Cloudsafe
          http://www.potloans.liveReferer:0%Avira URL Cloudsafe
          http://www.oiyter.xyz/g49t/www.erfectescapes.vacations0%Avira URL Cloudsafe
          https://word.office.com8X0%Avira URL Cloudsafe
          http://www.lockchain.xxx/g49t/%&;0%Avira URL Cloudsafe
          http://www.arehouse-inventory-93551.bond/g49t/0%Avira URL Cloudsafe
          http://www.ntli.biz/g49t/www.he-eyeofgod.online0%Avira URL Cloudsafe
          http://www.sg.productions/g49t/0%Avira URL Cloudsafe
          http://www.ox-packaging-jobs11.online/g49t/0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2C00%Avira URL Cloudsafe
          http://www.he-eyeofgod.online/g49t/www.eqiachat3.christmas0%Avira URL Cloudsafe
          http://www.aamahsa-emer6.rest/g49t/0%Avira URL Cloudsafe
          http://www.potloans.live/g49t/0%Avira URL Cloudsafe
          http://www.sg.productions0%Avira URL Cloudsafe
          http://www.radantobin.photography/g49t/0%Avira URL Cloudsafe
          http://www.arcelaamiga.shop0%Avira URL Cloudsafe
          http://www.eqiachat3.christmasReferer:0%Avira URL Cloudsafe
          http://www.radantobin.photography0%Avira URL Cloudsafe
          http://www.om-tarewo.icu/g49t/www.asik-eye-surgery-90605.bond0%Avira URL Cloudsafe
          http://www.oiyter.xyzReferer:0%Avira URL Cloudsafe
          http://www.itansofwisdom.fun/g49t/www.oisv.info0%Avira URL Cloudsafe
          http://www.epression-test-87609.bond/g49t/0%Avira URL Cloudsafe
          http://www.ox-packaging-jobs11.onlineReferer:0%Avira URL Cloudsafe
          http://www.om-tarewo.icu0%Avira URL Cloudsafe
          http://www.potloans.live0%Avira URL Cloudsafe
          www.radantobin.photography/g49t/0%Avira URL Cloudsafe
          http://www.apidrotation.net/g49t/0%Avira URL Cloudsafe
          http://www.epression-test-87609.bond0%Avira URL Cloudsafe
          http://www.radantobin.photographyReferer:0%Avira URL Cloudsafe
          http://www.rilens.online/g49t/0%Avira URL Cloudsafe
          http://www.om-tarewo.icu/g49t/0%Avira URL Cloudsafe
          http://www.sg.productions/g49t/www.epression-test-87609.bond0%Avira URL Cloudsafe
          http://www.rilens.onlineReferer:0%Avira URL Cloudsafe
          http://www.he-eyeofgod.online0%Avira URL Cloudsafe
          http://www.potloans.live/g49t/www.erfectescapes.vacations0%Avira URL Cloudsafe
          http://www.sg.productionsReferer:0%Avira URL Cloudsafe
          http://www.hermocontrol.xyz0%Avira URL Cloudsafe
          http://www.oiyter.xyz/g49t/0%Avira URL Cloudsafe
          http://www.rilens.online/g49t/www.ebastianschlosser.xyz0%Avira URL Cloudsafe
          http://www.oiyter.xyz/g49t/www.apidrotation.net0%Avira URL Cloudsafe
          http://www.arcelaamiga.shopReferer:0%Avira URL Cloudsafe
          http://www.ydhl.life0%Avira URL Cloudsafe
          http://www.erfectescapes.vacations/g49t/0%Avira URL Cloudsafe
          http://www.arbiequiz.shop/g49t/0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm0%Avira URL Cloudsafe
          http://www.ebastianschlosser.xyz0%Avira URL Cloudsafe
          http://www.ellnessdigitalmedia.store/g49t/www.ntli.biz0%Avira URL Cloudsafe
          http://www.eqiachat3.christmas/g49t/0%Avira URL Cloudsafe
          http://www.hermocontrol.xyzReferer:0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high
            www.potloans.live
            		unknown
            		unknowntrue
              		unknown
              www.erfectescapes.vacations
              		unknown
              		unknowntrue
                		unknown
                www.rilens.online
                		unknown
                		unknowntrue
                  		unknown
                  time.windows.com
                  		unknown
                  		unknownfalse
                    		high
                    www.ydhl.life
                    		unknown
                    		unknowntrue
                      		unknown
                      api.msn.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        www.radantobin.photography/g49t/true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.ebastianschlosser.xyzReferer:explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ellnessdigitalmedia.storeReferer:explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm-darkexplorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.msn.com:443/v1/news/Feed/Windows?texplorer.exe, 00000003.00000002.2315639009.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.0000000007276000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2C0-darkexplorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.oisv.infoReferer:explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.msn.com/en-us/news/politics/judge-erupts-at-trump-s-lawyers-for-wasting-time-with-ridicuexplorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.aamahsa-emer6.rest/g49t/www.radantobin.photographyexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2383960310.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2449470383.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2376748203.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.00000000099F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378903821.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374714058.00000000099DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winterexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-darkexplorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.erfectescapes.vacationsexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.ewrefope.xyz/g49t/explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.ransmediatupa.storeReferer:explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://deff.nelreports.net/api/report?cat=msnexplorer.exe, 0000000D.00000002.2763729217.00000000085A0000.00000004.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      https://excel.office.comexplorer.exe, 00000003.00000000.1397698717.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2324204599.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.0000000009BB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374178185.0000000009BB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.ntli.biz/g49t/explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.itansofwisdom.fun/g49t/explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ewrefope.xyzReferer:explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ox-packaging-jobs11.onlineexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ransmediatupa.store/g49t/www.ewrefope.xyzexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.oisv.infoexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.eqiachat3.christmasexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.apidrotation.net/g49t/www.lockchain.xxxexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.epression-test-87609.bondReferer:explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.hermocontrol.xyz/g49t/www.arbiequiz.shopexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&ocexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://wns.windows.com/explorer.exe, 00000003.00000000.1391309639.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.potloans.liveReferer:explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.oisv.info/g49t/explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.oiyter.xyz/g49t/www.erfectescapes.vacationsexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.1397698717.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271667496.000000000C44D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://word.office.comexplorer.exe, 00000003.00000000.1397698717.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2324204599.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.arehouse-inventory-93551.bond/g49t/explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://word.office.com8Xexplorer.exe, 0000000D.00000003.2397385085.0000000009BB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374178185.0000000009BB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.lockchain.xxx/g49t/%&;explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.ntli.biz/g49t/www.he-eyeofgod.onlineexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.sg.productions/g49t/explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.ox-packaging-jobs11.online/g49t/explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2C0explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.he-eyeofgod.online/g49t/www.eqiachat3.christmasexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.radantobin.photography/g49t/explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.sg.productionsexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.aamahsa-emer6.rest/g49t/explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://outlook.comexplorer.exe, 00000003.00000000.1397698717.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2324204599.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.0000000009BB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374178185.0000000009BB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.potloans.live/g49t/explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.radantobin.photographyexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.arcelaamiga.shopexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000003.2272744772.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2319828529.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1391309639.000000000913F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.eqiachat3.christmasReferer:explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.oiyter.xyzReferer:explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.om-tarewo.icu/g49t/www.asik-eye-surgery-90605.bondexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000003.00000000.1391309639.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2318980424.0000000008F83000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.epression-test-87609.bond/g49t/explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.itansofwisdom.fun/g49t/www.oisv.infoexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.ox-packaging-jobs11.onlineReferer:explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.potloans.liveexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.om-tarewo.icuexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.apidrotation.net/g49t/explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.epression-test-87609.bondexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000003.00000000.1391309639.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2318980424.0000000008F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.rilens.online/g49t/explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.radantobin.photographyReferer:explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.sg.productions/g49t/www.epression-test-87609.bondexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.om-tarewo.icu/g49t/explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.pollensense.com/explorer.exe, 00000003.00000000.1387701317.00000000071B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007A95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.he-eyeofgod.onlineexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.potloans.live/g49t/www.erfectescapes.vacationsexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.rilens.onlineReferer:explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.sg.productionsReferer:explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.hermocontrol.xyzexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.oiyter.xyz/g49t/explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 0000000D.00000003.2321162108.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.rilens.online/g49t/www.ebastianschlosser.xyzexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.arcelaamiga.shopReferer:explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.oiyter.xyz/g49t/www.apidrotation.netexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.ydhl.lifeexplorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://api.msn.com/7explorer.exe, 0000000D.00000003.2383960310.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2382166291.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2449470383.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2482267354.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2397385085.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2764027804.00000000099D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2376748203.00000000099DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384898230.00000000099F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2378903821.00000000099FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2374714058.00000000099DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.microexplorer.exe, 00000003.00000002.2317848990.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2318369406.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2318340710.0000000008810000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.erfectescapes.vacations/g49t/explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.arbiequiz.shop/g49t/explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBmexplorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.eqiachat3.christmas/g49t/explorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.ebastianschlosser.xyzexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.ellnessdigitalmedia.store/g49t/www.ntli.bizexplorer.exe, 00000003.00000003.2271580563.000000000C585000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271295425.000000000C572000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2327813742.000000000C589000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-explorer.exe, 00000003.00000002.2315639009.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1387701317.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ABC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2320107660.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730177560.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2319017939.0000000007A95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.hermocontrol.xyzReferer:explorer.exe, 0000000D.00000002.2955115782.000000000C765000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown

                                                                                      World Map of Contacted IPs

                                                                                      No contacted IP infos

                                                                                      General Information

                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                      Analysis ID:1590631
                                                                                      Start date and time:2025-01-14 11:53:12 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 10m 1s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:27
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:1
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Sample name:ORDER ENQIRY #093727664.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.evad.winEXE@10/8@6/0
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      • Number of executed functions: 44
                                                                                      • Number of non-executed functions: 296
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, VSSVC.exe, SearchApp.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe, StartMenuExperienceHost.exe, TextInputHost.exe, mobsync.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 104.40.149.189, 204.79.197.203, 13.107.246.45, 172.202.163.200, 40.126.32.138, 184.28.90.27, 2.23.242.162, 2.21.65.154, 2.23.227.221
                                                                                      • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, login.live.com, r.bing.com, azureedge-t-prod.trafficmanager.net, api-msn-com.a-0003.a-msedge.net
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                      • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                      • Report size getting too big, too many NtOpenKey calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      05:54:33API Interceptor572916x Sleep call for process: explorer.exe modified
                                                                                      05:55:07API Interceptor1385580x Sleep call for process: cmd.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      No context

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      s-part-0017.t-0009.t-msedge.netNew purchase order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                      • 13.107.246.45
                                                                                      ProductBOMpq_v4.xlsmGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.45
                                                                                      ProductBOMpq_v4.xlsmGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.45
                                                                                      RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.45
                                                                                      Signature Required_ Retail Technology Asia Employee Benefit for eddie.chan@rtasia.com.hk.emlGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.45
                                                                                      RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.45
                                                                                      https://Rtasia-sharepoint.zonivarnoth.ru/ITb4aThU/#Deddie.chan@rtasia.com.hkGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.45
                                                                                      RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.45
                                                                                      RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.45
                                                                                      yTRd6nkLWV.exeGet hashmaliciousLummaCBrowse
                                                                                      • 13.107.246.45

                                                                                      ASNs

                                                                                      No context

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_debb8a7f-da3a-4107-927b-ed5758d2ea07\Report.wer

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):2.2789410996231094
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:1+CmLgHqjjw6gohPERJ0YIzuiFZY4lO8k:1+vgHqjj0op+JBIzuiFZY4lO8
                                                                                      MD5:7ACC31BB3F2EC7249877D85A3A1F6B13
                                                                                      SHA1:8313785224DB6C2061714664BF1FD6CC9A0FC076
                                                                                      SHA-256:84E67F5A113ACB5942EC6CF7D0FE13F53E6C75A5904C3192BC3F6F84379521D9
                                                                                      SHA-512:87C64C4D4D1397A1AE0F838F2D5771AF4D16B77ECE2DAD545218F56E4312970F98C065D4D32AD3CFDC6578CC8054A88AD593C9FC8087BC33C16A03419EDF168E
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.2.5.7.5.5.3.7.8.5.1.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.b.b.8.a.7.f.-.d.a.3.a.-.4.1.0.7.-.9.2.7.b.-.e.d.5.7.5.8.d.2.e.a.0.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.5.6.e.0.d.f.-.e.b.5.b.-.4.c.0.b.-.b.f.d.1.-.d.6.9.f.0.7.6.a.c.f.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.x.p.l.o.r.e.r...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.d.8.-.0.0.0.1.-.0.0.1.4.-.3.4.a.6.-.f.7.5.5.6.2.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER75FD.tmp.dmp

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 17 streams, Tue Jan 14 10:55:56 2025, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):1022466
                                                                                      Entropy (8bit):1.40511930822667
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:ASuSGGMN+US++3ViY/kL2Rx2II9uoZqZo:1udN+R++3Vi6kL2j2B+o
                                                                                      MD5:191F42DCA7B2908811ABDCC24840272B
                                                                                      SHA1:7B22F7051107487D163026518BCB90D3807E271A
                                                                                      SHA-256:40616862FF5F9B0C21DBA6A7813957EB535C7DAA8EA202617DD4A32DA07FCB4A
                                                                                      SHA-512:6E367F56DE362020E6DBC0C7F9EE0FFA2E13489A8C5695B334579D8346B679E943CF630BD8BEE89DB980AA12629849BABF2CF790896A2829066E6DEA8CC1C85F
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:MDMP..a..... ........B.g............$... ........l..P.......d...T...................................x.......8...........T...$........`..J9..........|...........h...........................................................................................eJ..............Lw......................T............&.g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BBB.tmp.WERInternalMetadata.xml

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):10846
                                                                                      Entropy (8bit):3.70092464097448
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:R6l7wVeJdendi6YsjigmfqzVEUfprP89bpp97fIjm:R6lXJU46YoigmfqzVopz7fh
                                                                                      MD5:7088706973D3496A8CD204F8E2E10D17
                                                                                      SHA1:E82775E440636B3A4E81F0A7634E6FB168141975
                                                                                      SHA-256:89E3DA100114F14294F96ABCD66877AC7ADAA44FF27276388D6DAA9E264C5363
                                                                                      SHA-512:32A374E62C02C3B87A08C52A94D8CD7710A02845DCDEFF4C502BF15C7359676F499A957119249402235F981F3DBAA30700D1487890E4354DEFD400E43EB55C1F
                                                                                      Malicious:false
                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.5.6.<./.P.i.

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C0A.tmp.xml

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4724
                                                                                      Entropy (8bit):4.467498969352681
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwWl8zs5NJg771I97gWpW8VYZ6Ym8M4JYmFhyq85clb9Q32d:uIjf5nI7QZ7VIzJZnba32d
                                                                                      MD5:3FC4AED26A87536F77045C144DA8E6AB
                                                                                      SHA1:439C054AC86A3E233B04709380087C7237F1AFE5
                                                                                      SHA-256:8B793BE14B907A2C4A5D7A0D687D85DBAD6811768C98C8F328128114D5C5F3E4
                                                                                      SHA-512:5779C0BF1714305CBC3BFDEB50F1CE2296E9D37E0A2F7F400B8F0B284CA133D062CD0DD74636FEE888532512F8DB519F8E9D06BB5D00008C749CFE3CBF1894E5
                                                                                      Malicious:false
                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="675478" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db

                                                                                      Download File
                                                                                      Process:C:\Windows\explorer.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):107552
                                                                                      Entropy (8bit):4.005113039068459
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:+ql6pCkbG36SxPjk0ooMvqjENuLNwzjU1ONPJZ4R1v4jVzhlJmKypu3U3hwiAGiH:+dCkA6UMvqjQhkhwiAGinjEFBK5naTob
                                                                                      MD5:6B898FB261024C43D3A053D76D6D31D5
                                                                                      SHA1:A6E9BCF718980DE876F9E53BB8EA9026CDCB8C41
                                                                                      SHA-256:E8D4A5E2F3BA64EEEFA341D1E0AD1E735FCDF06701504F1523DBB1BE7ADACD9B
                                                                                      SHA-512:78DFE0D2A1248C3796B5BAC4A17DCD7037B74FEB8D2E606C99BE88F43BC67C94D008F261F768B2277C7D93A04A6BC2BF66577467381FCDBA3B3D1A14D8392DEB
                                                                                      Malicious:false
                                                                                      Preview:....h... ... ..........P..............X...H...].......................V.......e.n.-.C.H.;.e.n.-.G.B....... ......................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................0..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D.................................

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db

                                                                                      Download File
                                                                                      Process:C:\Windows\explorer.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):107552
                                                                                      Entropy (8bit):4.005437838627236
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:+cl6zCkaG36SxPjk0ooMvqjENuLNwzjU1ONPJZ4R1v4jVzhlJmKypu3U3hwiAGia:+hCkL6UMvqjQhkhwiAGinjEFBK5nbTob
                                                                                      MD5:FB4AB6FA304D2E2FA648B95043AF8D40
                                                                                      SHA1:90BD30F4F4FE698F082AE92382C93A1F5AD61516
                                                                                      SHA-256:627DB3DA9DB7671B52DBF49C8948753B3C4CA3338FBFE4E781FE1D1B5056FEC1
                                                                                      SHA-512:F67F22B3AEEEA5BEC8D2A24B8108F80FDA50A3EA5285E3A83F472A715D7C981602A69C96B5C2456BB3801F3FAB7A95B9A626AE422DD8AAAA7005467AA8600AA8
                                                                                      Malicious:false
                                                                                      Preview:....h... ... ..........P..............X...H...].......................V.......e.n.-.C.H.;.e.n.-.G.B....... ......................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................0..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D.................................

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Windows[1].json

                                                                                      Download File
                                                                                      Process:C:\Windows\explorer.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):891
                                                                                      Entropy (8bit):5.200816084694194
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Yzc2juHWGp8UCkC3c24dsKHt0drc6hE1opM:YzDWtpNCzD4ht0drcAEMM
                                                                                      MD5:0FDA79C4677CBCE14EE755D7F2F7C828
                                                                                      SHA1:ADD1D80FD9C2CCA984D4A7F2E34BF1148EFF9ADC
                                                                                      SHA-256:25917AA11CC1D44A731AF8DC46A304EDFADBA8E5D0D166CC958CB022C2957ADF
                                                                                      SHA-512:E4D84642093AC2FF5214994FBA3F3DB2BA4B2CBA946830F392B542CDDD76E5E5733DD4331C446910FCF608506F2679DF932F449E909F1564D522C733839399B4
                                                                                      Malicious:false
                                                                                      Preview:{"serviceContext":{"serviceActivityId":"337ecc6b-a40b-4867-bfcb-18b761e0ca45","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"337ecc6b-a40b-4867-bfcb-18b761e0ca45|2025-01-14T10:56:03.3234968Z|fabric_msn|EUS2-A|News_390","tier":"\u0000","clientActivityId":"17E31E13-DB66-48B6-AED9-BAA3BAA82DB4"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false,"1SlockscreenContentEnabled":true,"setMUIDOnMultipleDomains":false},"isPartial":false}

                                                                                      C:\Users\user\AppData\Local\Temp\electicism

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):189440
                                                                                      Entropy (8bit):7.8734740212304555
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:SA5rGAaFlcG+pJ+ZNxUNvR0jIQ4gJ4K1Vtvr88PEpoVdEKbzHHtbsYNUrH0mHwXf:oAaFaGy+ZNxUNSjv4gx1LY8Q0E+zXNUo
                                                                                      MD5:61948BFF048A6EDA0A540EA91D3A26F7
                                                                                      SHA1:219F0BD7347466AECF53B1D8A13C182975F0D2C4
                                                                                      SHA-256:B3DC9DE0D9F7607BB0ABFB9B2FE12B2534E09F26B32D83C06424E830BB337BFB
                                                                                      SHA-512:68F8A23C0F9502214344894A8CFAEC585A1311CF2926D14962879E680A5128ADB9E0E4FE510172C0E4B65B85DE1F5EB79D713771F553E804B3C72555B3724664
                                                                                      Malicious:false
                                                                                      Preview:.c.a.1CBN...;..q.QP....2K...6N2XWRLMKQS9P311CBNO6N2XWRLMKQ.9P3?..LN.?...V..l.9:JpCC^$0/".-S69=8m)4sK%].X-b..en_737b@F[w9P311CB.>...1..-.6..1....P..X...-.9...%..&U&..1.LMKQS9P311CBNO6Nb.WR.LJQ...u11CBNO6N.XUSGLAQS.R311CBNO6N.VRL]KQS.R311.BN_6N2ZWRIMJQS9P341BBNO6N2.URLOKQS9P331..NO&N2HWRLM[QS)P311CB^O6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQ}M5KE1CBz.4N2HWRL.IQS)P311CBNO6N2XWRlMK1S9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQS9P311CBNO6N2XWRLMKQ

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.262239968873196
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:ORDER ENQIRY #093727664.exe
                                                                                      File size:1'384'448 bytes
                                                                                      MD5:6c307da605db691944e35458f2a5b772
                                                                                      SHA1:b89158e370a8658cf3a6ed2bb78925e004034905
                                                                                      SHA256:f65ec81dc8f5d0a0a1f53752cdc2bb933e2897a91091f28b8d1702ffe207481c
                                                                                      SHA512:2c3dc98e9850a509d30b556c5bbc0941735ef26cfcb45cf23392a1c9e23012dd46d9916792c5c559d5cb2a3b27b1d96bfdf7d89f9f1b01db7bfc2630b17dfe17
                                                                                      SSDEEP:24576:bqDEvCTbMWu7rQYlBQcBiT6rprG8aj1BV+opERjUD4TV3Y4M1:bTvC/MTQYxsWR7ajTkoUUwJY
                                                                                      TLSH:6B55C00273D1C062FF9B92334F5AF6515BBC69260123E62F13981DB9BE701A1563E7A3
                                                                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                      File Icon

                                                                                      Icon Hash:aaf3e3e3938382a0

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x420577
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x6785AAD2 [Tue Jan 14 00:07:46 2025 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:1
                                                                                      File Version Major:5
                                                                                      File Version Minor:1
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:1
                                                                                      Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      call 00007F9C1CCCFFD3h
                                                                                      jmp 00007F9C1CCCF8DFh
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push esi
                                                                                      push dword ptr [ebp+08h]
                                                                                      mov esi, ecx
                                                                                      call 00007F9C1CCCFABDh
                                                                                      mov dword ptr [esi], 0049FDF0h
                                                                                      mov eax, esi
                                                                                      pop esi
                                                                                      pop ebp
                                                                                      retn 0004h
                                                                                      and dword ptr [ecx+04h], 00000000h
                                                                                      mov eax, ecx
                                                                                      and dword ptr [ecx+08h], 00000000h
                                                                                      mov dword ptr [ecx+04h], 0049FDF8h
                                                                                      mov dword ptr [ecx], 0049FDF0h
                                                                                      ret
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push esi
                                                                                      push dword ptr [ebp+08h]
                                                                                      mov esi, ecx
                                                                                      call 00007F9C1CCCFA8Ah
                                                                                      mov dword ptr [esi], 0049FE0Ch
                                                                                      mov eax, esi
                                                                                      pop esi
                                                                                      pop ebp
                                                                                      retn 0004h
                                                                                      and dword ptr [ecx+04h], 00000000h
                                                                                      mov eax, ecx
                                                                                      and dword ptr [ecx+08h], 00000000h
                                                                                      mov dword ptr [ecx+04h], 0049FE14h
                                                                                      mov dword ptr [ecx], 0049FE0Ch
                                                                                      ret
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push esi
                                                                                      mov esi, ecx
                                                                                      lea eax, dword ptr [esi+04h]
                                                                                      mov dword ptr [esi], 0049FDD0h
                                                                                      and dword ptr [eax], 00000000h
                                                                                      and dword ptr [eax+04h], 00000000h
                                                                                      push eax
                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                      add eax, 04h
                                                                                      push eax
                                                                                      call 00007F9C1CCD267Dh
                                                                                      pop ecx
                                                                                      pop ecx
                                                                                      mov eax, esi
                                                                                      pop esi
                                                                                      pop ebp
                                                                                      retn 0004h
                                                                                      lea eax, dword ptr [ecx+04h]
                                                                                      mov dword ptr [ecx], 0049FDD0h
                                                                                      push eax
                                                                                      call 00007F9C1CCD26C8h
                                                                                      pop ecx
                                                                                      ret
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push esi
                                                                                      mov esi, ecx
                                                                                      lea eax, dword ptr [esi+04h]
                                                                                      mov dword ptr [esi], 0049FDD0h
                                                                                      push eax
                                                                                      call 00007F9C1CCD26B1h
                                                                                      test byte ptr [ebp+08h], 00000001h
                                                                                      pop ecx

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x7b5e0.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1500000x7594.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0xd40000x7b5e00x7b600a03d34380a01387bd690aefcb317abbcFalse0.9471627247973657data7.933046773397559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x1500000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                      RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                      RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                      RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                      RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                      RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                      RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                      RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                      RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                      RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                      RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                      RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                                      RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                      RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                                      RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                      RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                      RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                      RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                      RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                      RT_RCDATA0xdc7b80x728a8data1.0003218518202746
                                                                                      RT_GROUP_ICON0x14f0600x76dataEnglishGreat Britain0.6610169491525424
                                                                                      RT_GROUP_ICON0x14f0d80x14dataEnglishGreat Britain1.25
                                                                                      RT_GROUP_ICON0x14f0ec0x14dataEnglishGreat Britain1.15
                                                                                      RT_GROUP_ICON0x14f1000x14dataEnglishGreat Britain1.25
                                                                                      RT_VERSION0x14f1140xdcdataEnglishGreat Britain0.6181818181818182
                                                                                      RT_MANIFEST0x14f1f00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                      Imports

                                                                                      DLLImport
                                                                                      WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                      MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                      WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                      PSAPI.DLLGetProcessMemoryInfo
                                                                                      IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                      USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                      UxTheme.dllIsThemeActive
                                                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                      USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                      GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                      SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                      OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishGreat Britain

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 14, 2025 11:54:17.290030956 CET5493653192.168.2.71.1.1.1
                                                                                      Jan 14, 2025 11:55:00.190495014 CET5793753192.168.2.71.1.1.1
                                                                                      Jan 14, 2025 11:55:00.198828936 CET53579371.1.1.1192.168.2.7
                                                                                      Jan 14, 2025 11:55:19.940308094 CET4942453192.168.2.71.1.1.1
                                                                                      Jan 14, 2025 11:55:19.979357004 CET53494241.1.1.1192.168.2.7
                                                                                      Jan 14, 2025 11:55:39.959616899 CET6171053192.168.2.71.1.1.1
                                                                                      Jan 14, 2025 11:55:39.971023083 CET53617101.1.1.1192.168.2.7
                                                                                      Jan 14, 2025 11:56:02.598287106 CET6148453192.168.2.71.1.1.1
                                                                                      Jan 14, 2025 11:56:12.066025972 CET5950053192.168.2.71.1.1.1
                                                                                      Jan 14, 2025 11:56:12.074769020 CET53595001.1.1.1192.168.2.7

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Jan 14, 2025 11:54:17.290030956 CET192.168.2.71.1.1.10x4a86Standard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                      Jan 14, 2025 11:55:00.190495014 CET192.168.2.71.1.1.10x1f59Standard query (0)www.potloans.liveA (IP address)IN (0x0001)false
                                                                                      Jan 14, 2025 11:55:19.940308094 CET192.168.2.71.1.1.10xabddStandard query (0)www.erfectescapes.vacationsA (IP address)IN (0x0001)false
                                                                                      Jan 14, 2025 11:55:39.959616899 CET192.168.2.71.1.1.10x7d2aStandard query (0)www.rilens.onlineA (IP address)IN (0x0001)false
                                                                                      Jan 14, 2025 11:56:02.598287106 CET192.168.2.71.1.1.10x61e0Standard query (0)api.msn.comA (IP address)IN (0x0001)false
                                                                                      Jan 14, 2025 11:56:12.066025972 CET192.168.2.71.1.1.10xb642Standard query (0)www.ydhl.lifeA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Jan 14, 2025 11:54:17.297363997 CET1.1.1.1192.168.2.70x4a86No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Jan 14, 2025 11:54:19.015055895 CET1.1.1.1192.168.2.70x5553No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Jan 14, 2025 11:54:19.015055895 CET1.1.1.1192.168.2.70x5553No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                      Jan 14, 2025 11:55:00.198828936 CET1.1.1.1192.168.2.70x1f59Name error (3)www.potloans.livenonenoneA (IP address)IN (0x0001)false
                                                                                      Jan 14, 2025 11:55:19.979357004 CET1.1.1.1192.168.2.70xabddName error (3)www.erfectescapes.vacationsnonenoneA (IP address)IN (0x0001)false
                                                                                      Jan 14, 2025 11:55:39.971023083 CET1.1.1.1192.168.2.70x7d2aName error (3)www.rilens.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                      Jan 14, 2025 11:56:02.604887962 CET1.1.1.1192.168.2.70x61e0No error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Jan 14, 2025 11:56:12.074769020 CET1.1.1.1192.168.2.70xb642Name error (3)www.ydhl.lifenonenoneA (IP address)IN (0x0001)false

                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:05:54:20
                                                                                      Start date:14/01/2025
                                                                                      Path:C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe"
                                                                                      Imagebase:0x660000
                                                                                      File size:1'384'448 bytes
                                                                                      MD5 hash:6C307DA605DB691944E35458F2A5B772
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1382632006.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:05:54:21
                                                                                      Start date:14/01/2025
                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe"
                                                                                      Imagebase:0x970000
                                                                                      File size:46'504 bytes
                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1445656880.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1444814664.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1444430079.00000000003C1000.00000020.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:05:54:23
                                                                                      Start date:14/01/2025
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                      Imagebase:0x7ff70ffd0000
                                                                                      File size:5'141'208 bytes
                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:05:54:26
                                                                                      Start date:14/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\SysWOW64\cmd.exe"
                                                                                      Imagebase:0x410000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2735560999.0000000002BA0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2735796403.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2720326316.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:05:54:29
                                                                                      Start date:14/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                                                                      Imagebase:0x410000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:05:54:29
                                                                                      Start date:14/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff75da10000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:05:55:55
                                                                                      Start date:14/01/2025
                                                                                      Path:C:\Windows\System32\WerFault.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 4056 -s 3612
                                                                                      Imagebase:0x7ff6c7f90000
                                                                                      File size:570'736 bytes
                                                                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:05:55:57
                                                                                      Start date:14/01/2025
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:explorer.exe
                                                                                      Imagebase:0x7ff70ffd0000
                                                                                      File size:5'141'208 bytes
                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:2.7%
                                                                                        Dynamic/Decrypted Code Coverage:1.1%
                                                                                        Signature Coverage:3.5%
                                                                                        Total number of Nodes:1616
                                                                                        Total number of Limit Nodes:46
                                                                                        execution_graph 95000 661044 95005 6610f3 95000->95005 95002 66104a 95041 6800a3 29 API calls __onexit 95002->95041 95004 661054 95042 661398 95005->95042 95009 66116a 95052 66a961 95009->95052 95012 66a961 22 API calls 95013 66117e 95012->95013 95014 66a961 22 API calls 95013->95014 95015 661188 95014->95015 95016 66a961 22 API calls 95015->95016 95017 6611c6 95016->95017 95018 66a961 22 API calls 95017->95018 95019 661292 95018->95019 95057 66171c 95019->95057 95023 6612c4 95024 66a961 22 API calls 95023->95024 95025 6612ce 95024->95025 95078 671940 95025->95078 95027 6612f9 95088 661aab 95027->95088 95029 661315 95030 661325 GetStdHandle 95029->95030 95031 66137a 95030->95031 95032 6a2485 95030->95032 95035 661387 OleInitialize 95031->95035 95032->95031 95033 6a248e 95032->95033 95095 67fddb 95033->95095 95035->95002 95036 6a2495 95105 6d011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 95036->95105 95038 6a249e 95106 6d0944 CreateThread 95038->95106 95040 6a24aa CloseHandle 95040->95031 95041->95004 95107 6613f1 95042->95107 95045 6613f1 22 API calls 95046 6613d0 95045->95046 95047 66a961 22 API calls 95046->95047 95048 6613dc 95047->95048 95114 666b57 95048->95114 95050 661129 95051 661bc3 6 API calls 95050->95051 95051->95009 95053 67fe0b 22 API calls 95052->95053 95054 66a976 95053->95054 95055 67fddb 22 API calls 95054->95055 95056 661174 95055->95056 95056->95012 95058 66a961 22 API calls 95057->95058 95059 66172c 95058->95059 95060 66a961 22 API calls 95059->95060 95061 661734 95060->95061 95062 66a961 22 API calls 95061->95062 95063 66174f 95062->95063 95064 67fddb 22 API calls 95063->95064 95065 66129c 95064->95065 95066 661b4a 95065->95066 95067 661b58 95066->95067 95068 66a961 22 API calls 95067->95068 95069 661b63 95068->95069 95070 66a961 22 API calls 95069->95070 95071 661b6e 95070->95071 95072 66a961 22 API calls 95071->95072 95073 661b79 95072->95073 95074 66a961 22 API calls 95073->95074 95075 661b84 95074->95075 95076 67fddb 22 API calls 95075->95076 95077 661b96 RegisterWindowMessageW 95076->95077 95077->95023 95079 671981 95078->95079 95082 67195d 95078->95082 95159 680242 5 API calls __Init_thread_wait 95079->95159 95087 67196e 95082->95087 95161 680242 5 API calls __Init_thread_wait 95082->95161 95083 67198b 95083->95082 95160 6801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95083->95160 95084 678727 95084->95087 95162 6801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95084->95162 95087->95027 95089 6a272d 95088->95089 95090 661abb 95088->95090 95163 6d3209 23 API calls 95089->95163 95091 67fddb 22 API calls 95090->95091 95094 661ac3 95091->95094 95093 6a2738 95094->95029 95097 67fde0 95095->95097 95096 68ea0c ___std_exception_copy 21 API calls 95096->95097 95097->95096 95098 67fdfa 95097->95098 95101 67fdfc 95097->95101 95164 684ead 7 API calls 2 library calls 95097->95164 95098->95036 95100 68066d 95166 6832a4 RaiseException 95100->95166 95101->95100 95165 6832a4 RaiseException 95101->95165 95103 68068a 95103->95036 95105->95038 95106->95040 95167 6d092a 28 API calls 95106->95167 95108 66a961 22 API calls 95107->95108 95109 6613fc 95108->95109 95110 66a961 22 API calls 95109->95110 95111 661404 95110->95111 95112 66a961 22 API calls 95111->95112 95113 6613c6 95112->95113 95113->95045 95115 666b67 _wcslen 95114->95115 95116 6a4ba1 95114->95116 95119 666ba2 95115->95119 95120 666b7d 95115->95120 95137 6693b2 95116->95137 95118 6a4baa 95118->95118 95122 67fddb 22 API calls 95119->95122 95126 666f34 22 API calls 95120->95126 95124 666bae 95122->95124 95123 666b85 __fread_nolock 95123->95050 95127 67fe0b 95124->95127 95126->95123 95129 67fddb 95127->95129 95130 67fdfa 95129->95130 95133 67fdfc 95129->95133 95141 68ea0c 95129->95141 95148 684ead 7 API calls 2 library calls 95129->95148 95130->95123 95132 68066d 95150 6832a4 RaiseException 95132->95150 95133->95132 95149 6832a4 RaiseException 95133->95149 95135 68068a 95135->95123 95138 6693c0 95137->95138 95140 6693c9 __fread_nolock 95137->95140 95138->95140 95153 66aec9 95138->95153 95140->95118 95146 693820 __dosmaperr 95141->95146 95142 69385e 95152 68f2d9 20 API calls __dosmaperr 95142->95152 95143 693849 RtlAllocateHeap 95145 69385c 95143->95145 95143->95146 95145->95129 95146->95142 95146->95143 95151 684ead 7 API calls 2 library calls 95146->95151 95148->95129 95149->95132 95150->95135 95151->95146 95152->95145 95154 66aedc 95153->95154 95155 66aed9 __fread_nolock 95153->95155 95156 67fddb 22 API calls 95154->95156 95155->95140 95157 66aee7 95156->95157 95158 67fe0b 22 API calls 95157->95158 95158->95155 95159->95083 95160->95082 95161->95084 95162->95087 95163->95093 95164->95097 95165->95100 95166->95103 95168 66dee5 95171 66b710 95168->95171 95172 66b72b 95171->95172 95173 6b00f8 95172->95173 95174 6b0146 95172->95174 95201 66b750 95172->95201 95177 6b0102 95173->95177 95180 6b010f 95173->95180 95173->95201 95237 6e58a2 207 API calls 2 library calls 95174->95237 95235 6e5d33 207 API calls 95177->95235 95196 66ba20 95180->95196 95236 6e61d0 207 API calls 2 library calls 95180->95236 95183 6b03d9 95183->95183 95187 6b0322 95244 6e5c0c 82 API calls 95187->95244 95191 66ba4e 95195 66bbe0 40 API calls 95195->95201 95196->95191 95245 6d359c 82 API calls __wsopen_s 95196->95245 95197 67d336 40 API calls 95197->95201 95201->95187 95201->95191 95201->95195 95201->95196 95201->95197 95202 66ec40 95201->95202 95226 66a81b 41 API calls 95201->95226 95227 67d2f0 40 API calls 95201->95227 95228 67a01b 207 API calls 95201->95228 95229 680242 5 API calls __Init_thread_wait 95201->95229 95230 67edcd 22 API calls 95201->95230 95231 6800a3 29 API calls __onexit 95201->95231 95232 6801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95201->95232 95233 67ee53 82 API calls 95201->95233 95234 67e5ca 207 API calls 95201->95234 95238 66aceb 23 API calls messages 95201->95238 95239 6bf6bf 23 API calls 95201->95239 95240 66a8c7 95201->95240 95224 66ec76 messages 95202->95224 95203 680242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95203->95224 95204 6801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95204->95224 95206 66fef7 95211 66a8c7 22 API calls 95206->95211 95219 66ed9d messages 95206->95219 95207 67fddb 22 API calls 95207->95224 95209 6b4600 95215 66a8c7 22 API calls 95209->95215 95209->95219 95210 6b4b0b 95249 6d359c 82 API calls __wsopen_s 95210->95249 95211->95219 95214 66a8c7 22 API calls 95214->95224 95215->95219 95217 66fbe3 95217->95219 95220 6b4bdc 95217->95220 95225 66f3ae messages 95217->95225 95218 66a961 22 API calls 95218->95224 95219->95201 95250 6d359c 82 API calls __wsopen_s 95220->95250 95222 6800a3 29 API calls pre_c_initialization 95222->95224 95223 6b4beb 95251 6d359c 82 API calls __wsopen_s 95223->95251 95224->95203 95224->95204 95224->95206 95224->95207 95224->95209 95224->95210 95224->95214 95224->95217 95224->95218 95224->95219 95224->95222 95224->95223 95224->95225 95246 6701e0 207 API calls 2 library calls 95224->95246 95247 6706a0 41 API calls messages 95224->95247 95225->95219 95248 6d359c 82 API calls __wsopen_s 95225->95248 95226->95201 95227->95201 95228->95201 95229->95201 95230->95201 95231->95201 95232->95201 95233->95201 95234->95201 95235->95180 95236->95196 95237->95201 95238->95201 95239->95201 95241 66a8ea __fread_nolock 95240->95241 95242 66a8db 95240->95242 95241->95201 95242->95241 95243 67fe0b 22 API calls 95242->95243 95243->95241 95244->95196 95245->95183 95246->95224 95247->95224 95248->95219 95249->95219 95250->95223 95251->95219 95252 cb4f28 95266 cb2b78 95252->95266 95254 cb4ff6 95269 cb4e18 95254->95269 95256 cb501f CreateFileW 95258 cb5073 95256->95258 95260 cb506e 95256->95260 95259 cb508a VirtualAlloc 95258->95259 95258->95260 95259->95260 95261 cb50a8 ReadFile 95259->95261 95261->95260 95262 cb50c3 95261->95262 95263 cb3e18 13 API calls 95262->95263 95264 cb50f6 95263->95264 95265 cb5119 ExitProcess 95264->95265 95265->95260 95272 cb6028 GetPEB 95266->95272 95268 cb3203 95268->95254 95270 cb4e21 Sleep 95269->95270 95271 cb4e2f 95270->95271 95273 cb6052 95272->95273 95273->95268 95274 662de3 95275 662df0 __wsopen_s 95274->95275 95276 6a2c2b ___scrt_fastfail 95275->95276 95277 662e09 95275->95277 95280 6a2c47 GetOpenFileNameW 95276->95280 95290 663aa2 95277->95290 95281 6a2c96 95280->95281 95283 666b57 22 API calls 95281->95283 95285 6a2cab 95283->95285 95285->95285 95287 662e27 95318 6644a8 95287->95318 95348 6a1f50 95290->95348 95293 663ace 95295 666b57 22 API calls 95293->95295 95294 663ae9 95354 66a6c3 95294->95354 95297 663ada 95295->95297 95350 6637a0 95297->95350 95300 662da5 95301 6a1f50 __wsopen_s 95300->95301 95302 662db2 GetLongPathNameW 95301->95302 95303 666b57 22 API calls 95302->95303 95304 662dda 95303->95304 95305 663598 95304->95305 95306 66a961 22 API calls 95305->95306 95307 6635aa 95306->95307 95308 663aa2 23 API calls 95307->95308 95309 6635b5 95308->95309 95310 6a32eb 95309->95310 95311 6635c0 95309->95311 95315 6a330d 95310->95315 95372 67ce60 41 API calls 95310->95372 95360 66515f 95311->95360 95317 6635df 95317->95287 95373 664ecb 95318->95373 95321 6a3833 95395 6d2cf9 95321->95395 95323 664ecb 94 API calls 95324 6644e1 95323->95324 95324->95321 95326 6644e9 95324->95326 95325 6a3848 95327 6a3869 95325->95327 95328 6a384c 95325->95328 95329 6644f5 95326->95329 95330 6a3854 95326->95330 95332 67fe0b 22 API calls 95327->95332 95445 664f39 95328->95445 95444 66940c 136 API calls 2 library calls 95329->95444 95451 6cda5a 82 API calls 95330->95451 95339 6a38ae 95332->95339 95335 662e31 95336 6a3862 95336->95327 95337 6a3a5f 95341 6a3a67 95337->95341 95338 664f39 68 API calls 95338->95341 95339->95337 95339->95341 95345 669cb3 22 API calls 95339->95345 95421 6c967e 95339->95421 95424 6d0b5a 95339->95424 95430 66a4a1 95339->95430 95438 663ff7 95339->95438 95452 6c95ad 42 API calls _wcslen 95339->95452 95341->95338 95453 6c989b 82 API calls __wsopen_s 95341->95453 95345->95339 95349 663aaf GetFullPathNameW 95348->95349 95349->95293 95349->95294 95351 6637ae 95350->95351 95352 6693b2 22 API calls 95351->95352 95353 662e12 95352->95353 95353->95300 95355 66a6d0 95354->95355 95356 66a6dd 95354->95356 95355->95297 95357 67fddb 22 API calls 95356->95357 95358 66a6e7 95357->95358 95359 67fe0b 22 API calls 95358->95359 95359->95355 95361 66516e 95360->95361 95365 66518f __fread_nolock 95360->95365 95364 67fe0b 22 API calls 95361->95364 95362 67fddb 22 API calls 95363 6635cc 95362->95363 95366 6635f3 95363->95366 95364->95365 95365->95362 95367 663605 95366->95367 95371 663624 __fread_nolock 95366->95371 95369 67fe0b 22 API calls 95367->95369 95368 67fddb 22 API calls 95370 66363b 95368->95370 95369->95371 95370->95317 95371->95368 95372->95310 95454 664e90 LoadLibraryA 95373->95454 95378 664ef6 LoadLibraryExW 95462 664e59 LoadLibraryA 95378->95462 95379 6a3ccf 95381 664f39 68 API calls 95379->95381 95383 6a3cd6 95381->95383 95385 664e59 3 API calls 95383->95385 95388 6a3cde 95385->95388 95386 664f20 95387 664f2c 95386->95387 95386->95388 95389 664f39 68 API calls 95387->95389 95484 6650f5 95388->95484 95391 6644cd 95389->95391 95391->95321 95391->95323 95394 6a3d05 95396 6d2d15 95395->95396 95397 66511f 64 API calls 95396->95397 95398 6d2d29 95397->95398 95634 6d2e66 95398->95634 95401 6650f5 40 API calls 95402 6d2d56 95401->95402 95403 6650f5 40 API calls 95402->95403 95404 6d2d66 95403->95404 95405 6650f5 40 API calls 95404->95405 95406 6d2d81 95405->95406 95407 6650f5 40 API calls 95406->95407 95408 6d2d9c 95407->95408 95409 66511f 64 API calls 95408->95409 95410 6d2db3 95409->95410 95411 68ea0c ___std_exception_copy 21 API calls 95410->95411 95412 6d2dba 95411->95412 95413 68ea0c ___std_exception_copy 21 API calls 95412->95413 95414 6d2dc4 95413->95414 95415 6650f5 40 API calls 95414->95415 95416 6d2dd8 95415->95416 95417 6d28fe 27 API calls 95416->95417 95419 6d2dee 95417->95419 95418 6d2d3f 95418->95325 95419->95418 95640 6d22ce 79 API calls 95419->95640 95422 67fe0b 22 API calls 95421->95422 95423 6c96ae __fread_nolock 95422->95423 95423->95339 95425 6d0b65 95424->95425 95426 67fddb 22 API calls 95425->95426 95427 6d0b7c 95426->95427 95641 669cb3 95427->95641 95432 66a52b 95430->95432 95436 66a4b1 __fread_nolock 95430->95436 95431 67fddb 22 API calls 95433 66a4b8 95431->95433 95434 67fe0b 22 API calls 95432->95434 95435 67fddb 22 API calls 95433->95435 95437 66a4d6 95433->95437 95434->95436 95435->95437 95436->95431 95437->95339 95439 66400a 95438->95439 95442 6640ae 95438->95442 95441 67fe0b 22 API calls 95439->95441 95443 66403c 95439->95443 95440 67fddb 22 API calls 95440->95443 95441->95443 95442->95339 95443->95440 95443->95442 95444->95335 95446 664f43 95445->95446 95448 664f4a 95445->95448 95647 68e678 95446->95647 95449 664f6a FreeLibrary 95448->95449 95450 664f59 95448->95450 95449->95450 95450->95330 95451->95336 95452->95339 95453->95341 95455 664ec6 95454->95455 95456 664ea8 GetProcAddress 95454->95456 95459 68e5eb 95455->95459 95457 664eb8 95456->95457 95457->95455 95458 664ebf FreeLibrary 95457->95458 95458->95455 95492 68e52a 95459->95492 95461 664eea 95461->95378 95461->95379 95463 664e6e GetProcAddress 95462->95463 95464 664e8d 95462->95464 95465 664e7e 95463->95465 95467 664f80 95464->95467 95465->95464 95466 664e86 FreeLibrary 95465->95466 95466->95464 95468 67fe0b 22 API calls 95467->95468 95469 664f95 95468->95469 95560 665722 95469->95560 95471 664fa1 __fread_nolock 95472 6650a5 95471->95472 95473 6a3d1d 95471->95473 95483 664fdc 95471->95483 95563 6642a2 CreateStreamOnHGlobal 95472->95563 95574 6d304d 74 API calls 95473->95574 95476 6a3d22 95478 66511f 64 API calls 95476->95478 95477 6650f5 40 API calls 95477->95483 95479 6a3d45 95478->95479 95480 6650f5 40 API calls 95479->95480 95482 66506e messages 95480->95482 95482->95386 95483->95476 95483->95477 95483->95482 95569 66511f 95483->95569 95485 665107 95484->95485 95486 6a3d70 95484->95486 95596 68e8c4 95485->95596 95489 6d28fe 95617 6d274e 95489->95617 95491 6d2919 95491->95394 95494 68e536 BuildCatchObjectHelperInternal 95492->95494 95493 68e544 95517 68f2d9 20 API calls __dosmaperr 95493->95517 95494->95493 95496 68e574 95494->95496 95498 68e579 95496->95498 95499 68e586 95496->95499 95497 68e549 95518 6927ec 26 API calls __wsopen_s 95497->95518 95519 68f2d9 20 API calls __dosmaperr 95498->95519 95509 698061 95499->95509 95503 68e58f 95504 68e5a2 95503->95504 95505 68e595 95503->95505 95521 68e5d4 LeaveCriticalSection __fread_nolock 95504->95521 95520 68f2d9 20 API calls __dosmaperr 95505->95520 95507 68e554 __wsopen_s 95507->95461 95510 69806d BuildCatchObjectHelperInternal 95509->95510 95522 692f5e EnterCriticalSection 95510->95522 95512 69807b 95523 6980fb 95512->95523 95516 6980ac __wsopen_s 95516->95503 95517->95497 95518->95507 95519->95507 95520->95507 95521->95507 95522->95512 95530 69811e 95523->95530 95524 698177 95541 694c7d 95524->95541 95529 698189 95535 698088 95529->95535 95554 693405 11 API calls 2 library calls 95529->95554 95530->95524 95530->95530 95530->95535 95539 68918d EnterCriticalSection 95530->95539 95540 6891a1 LeaveCriticalSection 95530->95540 95532 6981a8 95555 68918d EnterCriticalSection 95532->95555 95536 6980b7 95535->95536 95559 692fa6 LeaveCriticalSection 95536->95559 95538 6980be 95538->95516 95539->95530 95540->95530 95542 694c8a __dosmaperr 95541->95542 95543 694cca 95542->95543 95544 694cb5 RtlAllocateHeap 95542->95544 95556 684ead 7 API calls 2 library calls 95542->95556 95557 68f2d9 20 API calls __dosmaperr 95543->95557 95544->95542 95545 694cc8 95544->95545 95548 6929c8 95545->95548 95549 6929fc __dosmaperr 95548->95549 95550 6929d3 RtlFreeHeap 95548->95550 95549->95529 95550->95549 95551 6929e8 95550->95551 95558 68f2d9 20 API calls __dosmaperr 95551->95558 95553 6929ee GetLastError 95553->95549 95554->95532 95555->95535 95556->95542 95557->95545 95558->95553 95559->95538 95561 67fddb 22 API calls 95560->95561 95562 665734 95561->95562 95562->95471 95564 6642bc FindResourceExW 95563->95564 95565 6642d9 95563->95565 95564->95565 95566 6a35ba LoadResource 95564->95566 95565->95483 95566->95565 95567 6a35cf SizeofResource 95566->95567 95567->95565 95568 6a35e3 LockResource 95567->95568 95568->95565 95570 66512e 95569->95570 95571 6a3d90 95569->95571 95575 68ece3 95570->95575 95574->95476 95578 68eaaa 95575->95578 95577 66513c 95577->95483 95582 68eab6 BuildCatchObjectHelperInternal 95578->95582 95579 68eac2 95591 68f2d9 20 API calls __dosmaperr 95579->95591 95581 68eae8 95593 68918d EnterCriticalSection 95581->95593 95582->95579 95582->95581 95583 68eac7 95592 6927ec 26 API calls __wsopen_s 95583->95592 95586 68eaf4 95594 68ec0a 62 API calls 2 library calls 95586->95594 95588 68eb08 95595 68eb27 LeaveCriticalSection __fread_nolock 95588->95595 95590 68ead2 __wsopen_s 95590->95577 95591->95583 95592->95590 95593->95586 95594->95588 95595->95590 95599 68e8e1 95596->95599 95598 665118 95598->95489 95600 68e8ed BuildCatchObjectHelperInternal 95599->95600 95601 68e92d 95600->95601 95602 68e900 ___scrt_fastfail 95600->95602 95603 68e925 __wsopen_s 95600->95603 95614 68918d EnterCriticalSection 95601->95614 95612 68f2d9 20 API calls __dosmaperr 95602->95612 95603->95598 95606 68e937 95615 68e6f8 38 API calls 4 library calls 95606->95615 95607 68e91a 95613 6927ec 26 API calls __wsopen_s 95607->95613 95610 68e94e 95616 68e96c LeaveCriticalSection __fread_nolock 95610->95616 95612->95607 95613->95603 95614->95606 95615->95610 95616->95603 95620 68e4e8 95617->95620 95619 6d275d 95619->95491 95623 68e469 95620->95623 95622 68e505 95622->95619 95624 68e478 95623->95624 95625 68e48c 95623->95625 95631 68f2d9 20 API calls __dosmaperr 95624->95631 95630 68e488 __alldvrm 95625->95630 95633 69333f 11 API calls 2 library calls 95625->95633 95627 68e47d 95632 6927ec 26 API calls __wsopen_s 95627->95632 95630->95622 95631->95627 95632->95630 95633->95630 95638 6d2e7a 95634->95638 95635 6650f5 40 API calls 95635->95638 95636 6d28fe 27 API calls 95636->95638 95637 6d2d3b 95637->95401 95637->95418 95638->95635 95638->95636 95638->95637 95639 66511f 64 API calls 95638->95639 95639->95638 95640->95418 95642 669cc2 _wcslen 95641->95642 95643 67fe0b 22 API calls 95642->95643 95644 669cea __fread_nolock 95643->95644 95645 67fddb 22 API calls 95644->95645 95646 669d00 95645->95646 95646->95339 95648 68e684 BuildCatchObjectHelperInternal 95647->95648 95649 68e6aa 95648->95649 95650 68e695 95648->95650 95659 68e6a5 __wsopen_s 95649->95659 95662 68918d EnterCriticalSection 95649->95662 95660 68f2d9 20 API calls __dosmaperr 95650->95660 95653 68e69a 95661 6927ec 26 API calls __wsopen_s 95653->95661 95654 68e6c6 95663 68e602 95654->95663 95657 68e6d1 95679 68e6ee LeaveCriticalSection __fread_nolock 95657->95679 95659->95448 95660->95653 95661->95659 95662->95654 95664 68e60f 95663->95664 95665 68e624 95663->95665 95680 68f2d9 20 API calls __dosmaperr 95664->95680 95677 68e61f 95665->95677 95682 68dc0b 95665->95682 95667 68e614 95681 6927ec 26 API calls __wsopen_s 95667->95681 95674 68e646 95699 69862f 95674->95699 95677->95657 95678 6929c8 _free 20 API calls 95678->95677 95679->95659 95680->95667 95681->95677 95683 68dc23 95682->95683 95687 68dc1f 95682->95687 95684 68d955 __fread_nolock 26 API calls 95683->95684 95683->95687 95685 68dc43 95684->95685 95714 6959be 62 API calls 3 library calls 95685->95714 95688 694d7a 95687->95688 95689 694d90 95688->95689 95690 68e640 95688->95690 95689->95690 95691 6929c8 _free 20 API calls 95689->95691 95692 68d955 95690->95692 95691->95690 95693 68d961 95692->95693 95694 68d976 95692->95694 95715 68f2d9 20 API calls __dosmaperr 95693->95715 95694->95674 95696 68d966 95716 6927ec 26 API calls __wsopen_s 95696->95716 95698 68d971 95698->95674 95700 69863e 95699->95700 95701 698653 95699->95701 95717 68f2c6 20 API calls __dosmaperr 95700->95717 95702 69868e 95701->95702 95706 69867a 95701->95706 95722 68f2c6 20 API calls __dosmaperr 95702->95722 95705 698643 95718 68f2d9 20 API calls __dosmaperr 95705->95718 95719 698607 95706->95719 95707 698693 95723 68f2d9 20 API calls __dosmaperr 95707->95723 95711 68e64c 95711->95677 95711->95678 95712 69869b 95724 6927ec 26 API calls __wsopen_s 95712->95724 95714->95687 95715->95696 95716->95698 95717->95705 95718->95711 95725 698585 95719->95725 95721 69862b 95721->95711 95722->95707 95723->95712 95724->95711 95726 698591 BuildCatchObjectHelperInternal 95725->95726 95736 695147 EnterCriticalSection 95726->95736 95728 69859f 95729 6985d1 95728->95729 95730 6985c6 95728->95730 95752 68f2d9 20 API calls __dosmaperr 95729->95752 95737 6986ae 95730->95737 95733 6985cc 95753 6985fb LeaveCriticalSection __wsopen_s 95733->95753 95735 6985ee __wsopen_s 95735->95721 95736->95728 95754 6953c4 95737->95754 95739 6986c4 95767 695333 21 API calls 2 library calls 95739->95767 95741 6986be 95741->95739 95742 6986f6 95741->95742 95745 6953c4 __wsopen_s 26 API calls 95741->95745 95742->95739 95743 6953c4 __wsopen_s 26 API calls 95742->95743 95746 698702 CloseHandle 95743->95746 95744 69871c 95747 69873e 95744->95747 95768 68f2a3 20 API calls __dosmaperr 95744->95768 95748 6986ed 95745->95748 95746->95739 95750 69870e GetLastError 95746->95750 95747->95733 95749 6953c4 __wsopen_s 26 API calls 95748->95749 95749->95742 95750->95739 95752->95733 95753->95735 95755 6953d1 95754->95755 95756 6953e6 95754->95756 95769 68f2c6 20 API calls __dosmaperr 95755->95769 95760 69540b 95756->95760 95771 68f2c6 20 API calls __dosmaperr 95756->95771 95759 6953d6 95770 68f2d9 20 API calls __dosmaperr 95759->95770 95760->95741 95761 695416 95772 68f2d9 20 API calls __dosmaperr 95761->95772 95764 6953de 95764->95741 95765 69541e 95773 6927ec 26 API calls __wsopen_s 95765->95773 95767->95744 95768->95747 95769->95759 95770->95764 95771->95761 95772->95765 95773->95764 95774 6b3a41 95778 6d10c0 95774->95778 95776 6b3a4c 95777 6d10c0 53 API calls 95776->95777 95777->95776 95779 6d10fa 95778->95779 95783 6d10cd 95778->95783 95779->95776 95780 6d10fc 95822 67fa11 53 API calls 95780->95822 95781 6d1101 95789 667510 95781->95789 95783->95779 95783->95780 95783->95781 95787 6d10f4 95783->95787 95821 66b270 39 API calls 95787->95821 95790 667525 95789->95790 95806 667522 95789->95806 95791 66752d 95790->95791 95792 66755b 95790->95792 95823 6851c6 26 API calls 95791->95823 95795 66756d 95792->95795 95802 6a500f 95792->95802 95803 6a50f6 95792->95803 95824 67fb21 51 API calls 95795->95824 95796 66753d 95799 67fddb 22 API calls 95796->95799 95797 6a510e 95797->95797 95801 667547 95799->95801 95804 669cb3 22 API calls 95801->95804 95805 67fe0b 22 API calls 95802->95805 95811 6a5088 95802->95811 95826 685183 26 API calls 95803->95826 95804->95806 95807 6a5058 95805->95807 95812 666350 95806->95812 95808 67fddb 22 API calls 95807->95808 95809 6a507f 95808->95809 95810 669cb3 22 API calls 95809->95810 95810->95811 95825 67fb21 51 API calls 95811->95825 95813 666362 95812->95813 95814 6a4a51 95812->95814 95827 666373 95813->95827 95837 664a88 22 API calls __fread_nolock 95814->95837 95817 66636e 95817->95779 95818 6a4a5b 95819 6a4a67 95818->95819 95820 66a8c7 22 API calls 95818->95820 95820->95819 95821->95779 95822->95781 95823->95796 95824->95796 95825->95803 95826->95797 95828 6663b6 __fread_nolock 95827->95828 95830 666382 95827->95830 95828->95817 95829 6a4a82 95832 67fddb 22 API calls 95829->95832 95830->95828 95830->95829 95831 6663a9 95830->95831 95838 66a587 95831->95838 95834 6a4a91 95832->95834 95835 67fe0b 22 API calls 95834->95835 95836 6a4ac5 __fread_nolock 95835->95836 95837->95818 95839 66a59d 95838->95839 95842 66a598 __fread_nolock 95838->95842 95840 6af80f 95839->95840 95841 67fe0b 22 API calls 95839->95841 95841->95842 95842->95828 95843 6b2a00 95858 66d7b0 messages 95843->95858 95844 66db11 PeekMessageW 95844->95858 95845 66d807 GetInputState 95845->95844 95845->95858 95846 6b1cbe TranslateAcceleratorW 95846->95858 95848 66db8f PeekMessageW 95848->95858 95849 66da04 timeGetTime 95849->95858 95850 66db73 TranslateMessage DispatchMessageW 95850->95848 95851 66dbaf Sleep 95865 66dbc0 95851->95865 95852 6b2b74 Sleep 95852->95865 95853 6b1dda timeGetTime 95965 67e300 23 API calls 95853->95965 95854 67e551 timeGetTime 95854->95865 95857 6b2c0b GetExitCodeProcess 95862 6b2c21 WaitForSingleObject 95857->95862 95863 6b2c37 CloseHandle 95857->95863 95858->95844 95858->95845 95858->95846 95858->95848 95858->95849 95858->95850 95858->95851 95858->95852 95858->95853 95860 66d9d5 95858->95860 95871 66ec40 207 API calls 95858->95871 95875 66dd50 95858->95875 95882 66dfd0 95858->95882 95905 671310 95858->95905 95963 66bf40 207 API calls 2 library calls 95858->95963 95964 67edf6 IsDialogMessageW GetClassLongW 95858->95964 95966 6d3a2a 23 API calls 95858->95966 95967 6d359c 82 API calls __wsopen_s 95858->95967 95859 6f29bf GetForegroundWindow 95859->95865 95862->95858 95862->95863 95863->95865 95864 6b2a31 95864->95860 95865->95854 95865->95857 95865->95858 95865->95859 95865->95860 95865->95864 95866 6b2ca9 Sleep 95865->95866 95968 6e5658 23 API calls 95865->95968 95969 6ce97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95865->95969 95970 6cd4dc 47 API calls 95865->95970 95866->95858 95871->95858 95876 66dd83 95875->95876 95877 66dd6f 95875->95877 95972 6d359c 82 API calls __wsopen_s 95876->95972 95971 66d260 207 API calls 2 library calls 95877->95971 95879 66dd7a 95879->95858 95881 6b2f75 95881->95881 95883 66e010 95882->95883 95894 66e0dc messages 95883->95894 95975 680242 5 API calls __Init_thread_wait 95883->95975 95886 6b2fca 95888 66a961 22 API calls 95886->95888 95886->95894 95887 66a961 22 API calls 95887->95894 95890 6b2fe4 95888->95890 95889 6d359c 82 API calls 95889->95894 95976 6800a3 29 API calls __onexit 95890->95976 95894->95887 95894->95889 95898 66ec40 207 API calls 95894->95898 95900 66a8c7 22 API calls 95894->95900 95901 6704f0 22 API calls 95894->95901 95902 66e3e1 95894->95902 95973 66a81b 41 API calls 95894->95973 95974 67a308 207 API calls 95894->95974 95978 680242 5 API calls __Init_thread_wait 95894->95978 95979 6800a3 29 API calls __onexit 95894->95979 95980 6801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95894->95980 95981 6e47d4 207 API calls 95894->95981 95982 6e68c1 207 API calls 95894->95982 95895 6b2fee 95977 6801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95895->95977 95898->95894 95900->95894 95901->95894 95902->95858 95906 671376 95905->95906 95907 6717b0 95905->95907 95908 671390 95906->95908 95909 6b6331 95906->95909 96140 680242 5 API calls __Init_thread_wait 95907->96140 95912 671940 9 API calls 95908->95912 96099 6e709c 95909->96099 95911 6717ba 95915 6717fb 95911->95915 95917 669cb3 22 API calls 95911->95917 95916 6713a0 95912->95916 95914 6b633d 95914->95858 95920 6b6346 95915->95920 95922 67182c 95915->95922 95918 671940 9 API calls 95916->95918 95926 6717d4 95917->95926 95919 6713b6 95918->95919 95919->95915 95921 6713ec 95919->95921 96145 6d359c 82 API calls __wsopen_s 95920->96145 95921->95920 95946 671408 __fread_nolock 95921->95946 96142 66aceb 23 API calls messages 95922->96142 95925 671839 96143 67d217 207 API calls 95925->96143 96141 6801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95926->96141 95927 6b6369 95927->95858 95930 6b636e 96146 6d359c 82 API calls __wsopen_s 95930->96146 95931 67152f 95933 6b63d1 95931->95933 95934 67153c 95931->95934 96148 6e5745 54 API calls _wcslen 95933->96148 95936 671940 9 API calls 95934->95936 95938 671549 95936->95938 95937 67fddb 22 API calls 95937->95946 95941 6b64fa 95938->95941 95943 671940 9 API calls 95938->95943 95939 671872 96144 67faeb 23 API calls 95939->96144 95940 67fe0b 22 API calls 95940->95946 95941->95927 96149 6d359c 82 API calls __wsopen_s 95941->96149 95948 671563 95943->95948 95945 66ec40 207 API calls 95945->95946 95946->95925 95946->95927 95946->95930 95946->95931 95946->95937 95946->95940 95946->95945 95947 6b63b2 95946->95947 96147 6d359c 82 API calls __wsopen_s 95947->96147 95948->95941 95950 66a8c7 22 API calls 95948->95950 95953 6715c7 messages 95948->95953 95950->95953 95951 671940 9 API calls 95951->95953 95952 67171d 95952->95858 95953->95927 95953->95939 95953->95941 95953->95951 95955 67167b messages 95953->95955 95983 6d744a 95953->95983 96039 6ee204 95953->96039 96075 6d83da 95953->96075 96078 666246 95953->96078 96082 666216 95953->96082 96087 6e958b 95953->96087 96090 6df0ec 95953->96090 95955->95952 96139 67ce17 22 API calls messages 95955->96139 95963->95858 95964->95858 95965->95858 95966->95858 95967->95858 95968->95865 95969->95865 95970->95865 95971->95879 95972->95881 95973->95894 95974->95894 95975->95886 95976->95895 95977->95894 95978->95894 95979->95894 95980->95894 95981->95894 95982->95894 95984 6d7469 95983->95984 95985 6d7474 95983->95985 96158 66b567 39 API calls 95984->96158 95988 66a961 22 API calls 95985->95988 96024 6d7554 95985->96024 95987 67fddb 22 API calls 95989 6d7587 95987->95989 95990 6d7495 95988->95990 95991 67fe0b 22 API calls 95989->95991 95992 66a961 22 API calls 95990->95992 95993 6d7598 95991->95993 95994 6d749e 95992->95994 95995 666246 CloseHandle 95993->95995 95996 667510 53 API calls 95994->95996 95997 6d75a3 95995->95997 95998 6d74aa 95996->95998 95999 66a961 22 API calls 95997->95999 96159 66525f 22 API calls 95998->96159 96001 6d75ab 95999->96001 96003 666246 CloseHandle 96001->96003 96002 6d74bf 96004 666350 22 API calls 96002->96004 96005 6d75b2 96003->96005 96006 6d74f2 96004->96006 96007 667510 53 API calls 96005->96007 96008 6d754a 96006->96008 96160 6cd4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 96006->96160 96009 6d75be 96007->96009 96162 66b567 39 API calls 96008->96162 96010 666246 CloseHandle 96009->96010 96012 6d75c8 96010->96012 96150 665745 96012->96150 96014 6d7502 96014->96008 96015 6d7506 96014->96015 96017 669cb3 22 API calls 96015->96017 96019 6d7513 96017->96019 96161 6cd2c1 26 API calls 96019->96161 96021 6d76de GetLastError 96023 6d76f7 96021->96023 96022 6d75ea 96163 6653de 27 API calls messages 96022->96163 96026 666216 CloseHandle 96023->96026 96024->95987 96037 6d76a4 96024->96037 96026->96037 96027 6d751c 96027->96008 96028 6d75f8 96164 6653c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96028->96164 96030 6d7645 96032 67fddb 22 API calls 96030->96032 96031 6d75ff 96031->96030 96165 6cccff 96031->96165 96033 6d7679 96032->96033 96035 66a961 22 API calls 96033->96035 96036 6d7686 96035->96036 96036->96037 96169 6c417d 22 API calls __fread_nolock 96036->96169 96037->95953 96040 66a961 22 API calls 96039->96040 96041 6ee21b 96040->96041 96042 667510 53 API calls 96041->96042 96043 6ee22a 96042->96043 96172 666270 96043->96172 96046 667510 53 API calls 96047 6ee24a 96046->96047 96048 6ee2c7 96047->96048 96049 6ee262 96047->96049 96050 667510 53 API calls 96048->96050 96196 66b567 39 API calls 96049->96196 96052 6ee2cc 96050->96052 96054 6ee2d9 96052->96054 96055 6ee314 96052->96055 96053 6ee267 96053->96054 96057 6ee280 96053->96057 96199 669c6e 22 API calls 96054->96199 96058 6ee32c 96055->96058 96200 66b567 39 API calls 96055->96200 96197 666d25 22 API calls __fread_nolock 96057->96197 96059 6ee345 96058->96059 96201 66b567 39 API calls 96058->96201 96063 66a8c7 22 API calls 96059->96063 96065 6ee35f 96063->96065 96064 6ee28d 96066 666350 22 API calls 96064->96066 96177 6c92c8 96065->96177 96069 6ee29b 96066->96069 96068 6ee2e6 96068->95953 96198 666d25 22 API calls __fread_nolock 96069->96198 96071 6ee2b4 96072 666350 22 API calls 96071->96072 96073 6ee2c2 96072->96073 96202 6662b5 22 API calls 96073->96202 96215 6d98e3 96075->96215 96077 6d83ea 96077->95953 96079 666250 96078->96079 96080 66625f 96078->96080 96079->95953 96080->96079 96081 666264 CloseHandle 96080->96081 96081->96079 96083 666246 CloseHandle 96082->96083 96084 66621e 96083->96084 96085 666246 CloseHandle 96084->96085 96086 66622d messages 96085->96086 96086->95953 96295 6e7f59 96087->96295 96089 6e959b 96089->95953 96091 667510 53 API calls 96090->96091 96092 6df126 96091->96092 96379 669e90 96092->96379 96094 6df136 96095 6df15b 96094->96095 96096 66ec40 207 API calls 96094->96096 96098 6df15f 96095->96098 96407 669c6e 22 API calls 96095->96407 96096->96095 96098->95953 96100 6e70db 96099->96100 96101 6e70f5 96099->96101 96426 6d359c 82 API calls __wsopen_s 96100->96426 96415 6e5689 96101->96415 96105 66ec40 206 API calls 96106 6e7164 96105->96106 96107 6e71ff 96106->96107 96110 6e71a6 96106->96110 96132 6e70ed 96106->96132 96108 6e7205 96107->96108 96109 6e7253 96107->96109 96427 6d1119 22 API calls 96108->96427 96111 667510 53 API calls 96109->96111 96109->96132 96115 6d0acc 22 API calls 96110->96115 96113 6e7265 96111->96113 96116 66aec9 22 API calls 96113->96116 96114 6e7228 96428 66a673 22 API calls 96114->96428 96118 6e71de 96115->96118 96119 6e7289 CharUpperBuffW 96116->96119 96121 671310 206 API calls 96118->96121 96122 6e72a3 96119->96122 96120 6e7230 96429 66bf40 207 API calls 2 library calls 96120->96429 96121->96132 96123 6e72aa 96122->96123 96124 6e72f6 96122->96124 96422 6d0acc 96123->96422 96126 667510 53 API calls 96124->96126 96127 6e72fe 96126->96127 96430 67e300 23 API calls 96127->96430 96131 671310 206 API calls 96131->96132 96132->95914 96133 6e7308 96133->96132 96134 667510 53 API calls 96133->96134 96135 6e7323 96134->96135 96431 66a673 22 API calls 96135->96431 96137 6e7333 96432 66bf40 207 API calls 2 library calls 96137->96432 96139->95955 96140->95911 96141->95915 96142->95925 96143->95939 96144->95939 96145->95927 96146->95927 96147->95927 96148->95948 96149->95927 96151 66575c CreateFileW 96150->96151 96152 6a4035 96150->96152 96153 66577b 96151->96153 96152->96153 96154 6a403b CreateFileW 96152->96154 96153->96021 96153->96022 96154->96153 96155 6a4063 96154->96155 96170 6654c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96155->96170 96157 6a406e 96157->96153 96158->95985 96159->96002 96160->96014 96161->96027 96162->96024 96163->96028 96164->96031 96166 6ccd0e 96165->96166 96167 6ccd19 WriteFile 96165->96167 96171 6ccc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96166->96171 96167->96030 96169->96037 96170->96157 96171->96167 96173 67fe0b 22 API calls 96172->96173 96174 666295 96173->96174 96175 67fddb 22 API calls 96174->96175 96176 6662a3 96175->96176 96176->96046 96178 66a961 22 API calls 96177->96178 96179 6c92de 96178->96179 96180 666270 22 API calls 96179->96180 96181 6c92f2 96180->96181 96190 6c9314 96181->96190 96203 6c8e54 96181->96203 96183 6c8e54 41 API calls 96183->96190 96187 666350 22 API calls 96187->96190 96188 6c93b3 96189 66a8c7 22 API calls 96188->96189 96191 6c93c2 96188->96191 96189->96191 96190->96183 96190->96187 96190->96188 96192 6c9397 96190->96192 96211 666d25 22 API calls __fread_nolock 96190->96211 96191->96073 96212 666d25 22 API calls __fread_nolock 96192->96212 96194 6c93a7 96195 666350 22 API calls 96194->96195 96195->96188 96196->96053 96197->96064 96198->96071 96199->96068 96200->96058 96201->96059 96202->96068 96204 6c8e74 _wcslen 96203->96204 96205 6c8f63 96204->96205 96207 6c8ea9 96204->96207 96208 6c8f68 96204->96208 96205->96190 96210 666d25 22 API calls __fread_nolock 96205->96210 96207->96205 96213 67ce60 41 API calls 96207->96213 96208->96205 96214 67ce60 41 API calls 96208->96214 96210->96190 96211->96190 96212->96194 96213->96207 96214->96208 96216 6d99e8 96215->96216 96217 6d9902 96215->96217 96272 6d9caa 39 API calls 96216->96272 96219 67fddb 22 API calls 96217->96219 96220 6d9909 96219->96220 96221 67fe0b 22 API calls 96220->96221 96222 6d991a 96221->96222 96224 666246 CloseHandle 96222->96224 96223 6d9ac5 96266 6d1e96 96223->96266 96227 6d9925 96224->96227 96225 6d99ca 96225->96077 96230 66a961 22 API calls 96227->96230 96228 6d9acc 96236 6cccff 4 API calls 96228->96236 96229 6d99a2 96229->96223 96229->96225 96232 6d9a33 96229->96232 96231 6d992d 96230->96231 96233 666246 CloseHandle 96231->96233 96234 667510 53 API calls 96232->96234 96235 6d9934 96233->96235 96245 6d9a3a 96234->96245 96237 667510 53 API calls 96235->96237 96238 6d9aa8 96236->96238 96241 6d9940 96237->96241 96238->96225 96246 666246 CloseHandle 96238->96246 96239 6d9abb 96283 6ccd57 30 API calls 96239->96283 96243 666246 CloseHandle 96241->96243 96242 6d9a6e 96244 666270 22 API calls 96242->96244 96247 6d994a 96243->96247 96248 6d9a7e 96244->96248 96245->96239 96245->96242 96249 6d9b1e 96246->96249 96250 665745 5 API calls 96247->96250 96251 6d9a8e 96248->96251 96254 66a8c7 22 API calls 96248->96254 96252 666216 CloseHandle 96249->96252 96253 6d9959 96250->96253 96273 6633c6 96251->96273 96252->96225 96256 6d995d 96253->96256 96257 6d99c2 96253->96257 96254->96251 96270 6653de 27 API calls messages 96256->96270 96259 666216 CloseHandle 96257->96259 96259->96225 96262 6d996b 96271 6653c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96262->96271 96264 6d9972 96264->96229 96265 6cccff 4 API calls 96264->96265 96265->96229 96267 6d1e9f 96266->96267 96269 6d1ea4 96266->96269 96284 6d0f67 24 API calls __fread_nolock 96267->96284 96269->96228 96270->96262 96271->96264 96272->96229 96274 6a30bb 96273->96274 96275 6633dd 96273->96275 96277 67fddb 22 API calls 96274->96277 96285 6633ee 96275->96285 96279 6a30c5 _wcslen 96277->96279 96278 6633e8 96282 6ccd57 30 API calls 96278->96282 96280 67fe0b 22 API calls 96279->96280 96281 6a30fe __fread_nolock 96280->96281 96282->96238 96283->96238 96284->96269 96286 6633fe _wcslen 96285->96286 96287 6a311d 96286->96287 96288 663411 96286->96288 96289 67fddb 22 API calls 96287->96289 96290 66a587 22 API calls 96288->96290 96292 6a3127 96289->96292 96291 66341e __fread_nolock 96290->96291 96291->96278 96293 67fe0b 22 API calls 96292->96293 96294 6a3157 __fread_nolock 96293->96294 96296 667510 53 API calls 96295->96296 96297 6e7f90 96296->96297 96321 6e7fd5 messages 96297->96321 96333 6e8cd3 96297->96333 96299 6e8281 96300 6e844f 96299->96300 96305 6e828f 96299->96305 96374 6e8ee4 60 API calls 96300->96374 96303 6e845e 96304 6e846a 96303->96304 96303->96305 96304->96321 96346 6e7e86 96305->96346 96306 667510 53 API calls 96322 6e8049 96306->96322 96311 6e82c8 96361 67fc70 96311->96361 96314 6e82e8 96367 6d359c 82 API calls __wsopen_s 96314->96367 96315 6e8302 96368 6663eb 22 API calls 96315->96368 96318 6e82f3 GetCurrentProcess TerminateProcess 96318->96315 96319 6e8311 96369 666a50 22 API calls 96319->96369 96321->96089 96322->96299 96322->96306 96322->96321 96365 6c417d 22 API calls __fread_nolock 96322->96365 96366 6e851d 42 API calls _strftime 96322->96366 96323 6e832a 96332 6e8352 96323->96332 96370 6704f0 22 API calls 96323->96370 96325 6e84c5 96325->96321 96329 6e84d9 FreeLibrary 96325->96329 96326 6e8341 96371 6e8b7b 75 API calls 96326->96371 96329->96321 96332->96325 96372 6704f0 22 API calls 96332->96372 96373 66aceb 23 API calls messages 96332->96373 96375 6e8b7b 75 API calls 96332->96375 96334 66aec9 22 API calls 96333->96334 96335 6e8cee CharLowerBuffW 96334->96335 96336 6c8e54 41 API calls 96335->96336 96337 6e8d0f 96336->96337 96339 66a961 22 API calls 96337->96339 96345 6e8d48 _wcslen 96337->96345 96340 6e8d2a 96339->96340 96376 666d25 22 API calls __fread_nolock 96340->96376 96342 6e8d3e 96343 6693b2 22 API calls 96342->96343 96343->96345 96344 6e8e5e _wcslen 96344->96322 96345->96344 96377 6e851d 42 API calls _strftime 96345->96377 96347 6e7eec 96346->96347 96348 6e7ea1 96346->96348 96352 6e9096 96347->96352 96349 67fe0b 22 API calls 96348->96349 96350 6e7ec3 96349->96350 96350->96347 96351 67fddb 22 API calls 96350->96351 96351->96350 96353 6e92ab messages 96352->96353 96360 6e90ba _strcat _wcslen 96352->96360 96353->96311 96354 66b567 39 API calls 96354->96360 96355 66b38f 39 API calls 96355->96360 96356 66b6b5 39 API calls 96356->96360 96357 667510 53 API calls 96357->96360 96358 68ea0c 21 API calls ___std_exception_copy 96358->96360 96360->96353 96360->96354 96360->96355 96360->96356 96360->96357 96360->96358 96378 6cefae 24 API calls _wcslen 96360->96378 96363 67fc85 96361->96363 96362 67fd1d VirtualProtect 96364 67fceb 96362->96364 96363->96362 96363->96364 96364->96314 96364->96315 96365->96322 96366->96322 96367->96318 96368->96319 96369->96323 96370->96326 96371->96332 96372->96332 96373->96332 96374->96303 96375->96332 96376->96342 96377->96344 96378->96360 96380 666270 22 API calls 96379->96380 96390 669eb5 96380->96390 96381 669fd2 96382 66a4a1 22 API calls 96381->96382 96383 669fec 96382->96383 96383->96094 96386 66a12c __fread_nolock 96387 6af7c4 96386->96387 96397 66a405 96386->96397 96413 6c96e2 84 API calls __wsopen_s 96387->96413 96388 6af699 96394 67fddb 22 API calls 96388->96394 96390->96381 96390->96386 96390->96387 96390->96388 96393 66a6c3 22 API calls 96390->96393 96390->96397 96402 66a587 22 API calls 96390->96402 96403 66aec9 22 API calls 96390->96403 96406 66a4a1 22 API calls 96390->96406 96408 664573 41 API calls _wcslen 96390->96408 96410 6648c8 23 API calls 96390->96410 96411 6649bd 22 API calls __fread_nolock 96390->96411 96412 66a673 22 API calls 96390->96412 96393->96390 96398 6af754 96394->96398 96395 6af7d2 96396 66a4a1 22 API calls 96395->96396 96399 6af7e8 96396->96399 96397->96383 96414 6c96e2 84 API calls __wsopen_s 96397->96414 96400 67fe0b 22 API calls 96398->96400 96399->96383 96400->96386 96402->96390 96404 66a0db CharUpperBuffW 96403->96404 96409 66a673 22 API calls 96404->96409 96406->96390 96407->96098 96408->96390 96409->96390 96410->96390 96411->96390 96412->96390 96413->96395 96414->96383 96416 6e56a4 96415->96416 96421 6e56f2 96415->96421 96417 67fe0b 22 API calls 96416->96417 96419 6e56c6 96417->96419 96418 67fddb 22 API calls 96418->96419 96419->96418 96419->96421 96433 6d0a59 22 API calls 96419->96433 96421->96105 96423 6d0ada 96422->96423 96425 6d0b13 96422->96425 96424 67fddb 22 API calls 96423->96424 96423->96425 96424->96425 96425->96131 96426->96132 96427->96114 96428->96120 96429->96132 96430->96133 96431->96137 96432->96132 96433->96419 96434 698402 96439 6981be 96434->96439 96437 69842a 96440 6981ef try_get_first_available_module 96439->96440 96447 698338 96440->96447 96454 688e0b 40 API calls 2 library calls 96440->96454 96442 6983ee 96458 6927ec 26 API calls __wsopen_s 96442->96458 96444 698343 96444->96437 96451 6a0984 96444->96451 96446 69838c 96446->96447 96455 688e0b 40 API calls 2 library calls 96446->96455 96447->96444 96457 68f2d9 20 API calls __dosmaperr 96447->96457 96449 6983ab 96449->96447 96456 688e0b 40 API calls 2 library calls 96449->96456 96459 6a0081 96451->96459 96453 6a099f 96453->96437 96454->96446 96455->96449 96456->96447 96457->96442 96458->96444 96461 6a008d BuildCatchObjectHelperInternal 96459->96461 96460 6a009b 96517 68f2d9 20 API calls __dosmaperr 96460->96517 96461->96460 96463 6a00d4 96461->96463 96470 6a065b 96463->96470 96464 6a00a0 96518 6927ec 26 API calls __wsopen_s 96464->96518 96469 6a00aa __wsopen_s 96469->96453 96520 6a042f 96470->96520 96473 6a068d 96552 68f2c6 20 API calls __dosmaperr 96473->96552 96474 6a06a6 96538 695221 96474->96538 96477 6a06ab 96478 6a06cb 96477->96478 96479 6a06b4 96477->96479 96551 6a039a CreateFileW 96478->96551 96554 68f2c6 20 API calls __dosmaperr 96479->96554 96483 6a0704 96486 6a0781 GetFileType 96483->96486 96487 6a0756 GetLastError 96483->96487 96556 6a039a CreateFileW 96483->96556 96484 6a06b9 96555 68f2d9 20 API calls __dosmaperr 96484->96555 96488 6a078c GetLastError 96486->96488 96489 6a07d3 96486->96489 96557 68f2a3 20 API calls __dosmaperr 96487->96557 96558 68f2a3 20 API calls __dosmaperr 96488->96558 96560 69516a 21 API calls 2 library calls 96489->96560 96492 6a079a CloseHandle 96494 6a0692 96492->96494 96495 6a07c3 96492->96495 96553 68f2d9 20 API calls __dosmaperr 96494->96553 96559 68f2d9 20 API calls __dosmaperr 96495->96559 96497 6a0749 96497->96486 96497->96487 96499 6a07f4 96501 6a0840 96499->96501 96561 6a05ab 72 API calls 3 library calls 96499->96561 96500 6a07c8 96500->96494 96506 6a086d 96501->96506 96562 6a014d 72 API calls 4 library calls 96501->96562 96504 6a0866 96505 6a087e 96504->96505 96504->96506 96508 6a00f8 96505->96508 96509 6a08fc CloseHandle 96505->96509 96507 6986ae __wsopen_s 29 API calls 96506->96507 96507->96508 96519 6a0121 LeaveCriticalSection __wsopen_s 96508->96519 96563 6a039a CreateFileW 96509->96563 96511 6a0927 96512 6a095d 96511->96512 96513 6a0931 GetLastError 96511->96513 96512->96508 96564 68f2a3 20 API calls __dosmaperr 96513->96564 96515 6a093d 96565 695333 21 API calls 2 library calls 96515->96565 96517->96464 96518->96469 96519->96469 96521 6a0450 96520->96521 96522 6a046a 96520->96522 96521->96522 96573 68f2d9 20 API calls __dosmaperr 96521->96573 96566 6a03bf 96522->96566 96525 6a045f 96574 6927ec 26 API calls __wsopen_s 96525->96574 96527 6a04a2 96528 6a04d1 96527->96528 96575 68f2d9 20 API calls __dosmaperr 96527->96575 96535 6a0524 96528->96535 96577 68d70d 26 API calls 2 library calls 96528->96577 96531 6a051f 96533 6a059e 96531->96533 96531->96535 96532 6a04c6 96576 6927ec 26 API calls __wsopen_s 96532->96576 96578 6927fc 11 API calls _abort 96533->96578 96535->96473 96535->96474 96537 6a05aa 96539 69522d BuildCatchObjectHelperInternal 96538->96539 96581 692f5e EnterCriticalSection 96539->96581 96541 69527b 96582 69532a 96541->96582 96543 695259 96585 695000 96543->96585 96544 695234 96544->96541 96544->96543 96548 6952c7 EnterCriticalSection 96544->96548 96545 6952a4 __wsopen_s 96545->96477 96548->96541 96549 6952d4 LeaveCriticalSection 96548->96549 96549->96544 96551->96483 96552->96494 96553->96508 96554->96484 96555->96494 96556->96497 96557->96494 96558->96492 96559->96500 96560->96499 96561->96501 96562->96504 96563->96511 96564->96515 96565->96512 96568 6a03d7 96566->96568 96567 6a03f2 96567->96527 96568->96567 96579 68f2d9 20 API calls __dosmaperr 96568->96579 96570 6a0416 96580 6927ec 26 API calls __wsopen_s 96570->96580 96572 6a0421 96572->96527 96573->96525 96574->96522 96575->96532 96576->96528 96577->96531 96578->96537 96579->96570 96580->96572 96581->96544 96593 692fa6 LeaveCriticalSection 96582->96593 96584 695331 96584->96545 96586 694c7d __dosmaperr 20 API calls 96585->96586 96589 695012 96586->96589 96587 69501f 96588 6929c8 _free 20 API calls 96587->96588 96590 695071 96588->96590 96589->96587 96594 693405 11 API calls 2 library calls 96589->96594 96590->96541 96592 695147 EnterCriticalSection 96590->96592 96592->96541 96593->96584 96594->96589 96595 661cad SystemParametersInfoW 96596 6a2ba5 96597 662b25 96596->96597 96598 6a2baf 96596->96598 96624 662b83 7 API calls 96597->96624 96639 663a5a 96598->96639 96602 6a2bb8 96604 669cb3 22 API calls 96602->96604 96606 6a2bc6 96604->96606 96605 662b2f 96607 662b44 96605->96607 96628 663837 96605->96628 96608 6a2bce 96606->96608 96609 6a2bf5 96606->96609 96615 662b5f 96607->96615 96638 6630f2 Shell_NotifyIconW ___scrt_fastfail 96607->96638 96612 6633c6 22 API calls 96608->96612 96611 6633c6 22 API calls 96609->96611 96622 6a2bf1 GetForegroundWindow ShellExecuteW 96611->96622 96613 6a2bd9 96612->96613 96614 666350 22 API calls 96613->96614 96617 6a2be7 96614->96617 96621 662b66 SetCurrentDirectoryW 96615->96621 96620 6633c6 22 API calls 96617->96620 96619 6a2c26 96619->96615 96620->96622 96623 662b7a 96621->96623 96622->96619 96646 662cd4 7 API calls 96624->96646 96626 662b2a 96627 662c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96626->96627 96627->96605 96629 663862 ___scrt_fastfail 96628->96629 96647 664212 96629->96647 96632 6638e8 96634 663906 Shell_NotifyIconW 96632->96634 96635 6a3386 Shell_NotifyIconW 96632->96635 96651 663923 96634->96651 96637 66391c 96637->96607 96638->96615 96640 6a1f50 __wsopen_s 96639->96640 96641 663a67 GetModuleFileNameW 96640->96641 96642 669cb3 22 API calls 96641->96642 96643 663a8d 96642->96643 96644 663aa2 23 API calls 96643->96644 96645 663a97 96644->96645 96645->96602 96646->96626 96648 6638b7 96647->96648 96649 6a35a4 96647->96649 96648->96632 96673 6cc874 42 API calls _strftime 96648->96673 96649->96648 96650 6a35ad DestroyIcon 96649->96650 96650->96648 96652 663a13 96651->96652 96653 66393f 96651->96653 96652->96637 96654 666270 22 API calls 96653->96654 96655 66394d 96654->96655 96656 6a3393 LoadStringW 96655->96656 96657 66395a 96655->96657 96660 6a33ad 96656->96660 96658 666b57 22 API calls 96657->96658 96659 66396f 96658->96659 96661 6a33c9 96659->96661 96662 66397c 96659->96662 96663 66a8c7 22 API calls 96660->96663 96667 663994 ___scrt_fastfail 96660->96667 96665 666350 22 API calls 96661->96665 96662->96660 96664 663986 96662->96664 96663->96667 96666 666350 22 API calls 96664->96666 96668 6a33d7 96665->96668 96666->96667 96670 6639f9 Shell_NotifyIconW 96667->96670 96668->96667 96669 6633c6 22 API calls 96668->96669 96671 6a33f9 96669->96671 96670->96652 96672 6633c6 22 API calls 96671->96672 96672->96667 96673->96632 96674 663156 96677 663170 96674->96677 96678 663187 96677->96678 96679 66318c 96678->96679 96680 6631eb 96678->96680 96717 6631e9 96678->96717 96681 663265 PostQuitMessage 96679->96681 96682 663199 96679->96682 96684 6a2dfb 96680->96684 96685 6631f1 96680->96685 96689 66316a 96681->96689 96687 6631a4 96682->96687 96688 6a2e7c 96682->96688 96683 6631d0 DefWindowProcW 96683->96689 96726 6618e2 10 API calls 96684->96726 96690 66321d SetTimer RegisterWindowMessageW 96685->96690 96691 6631f8 96685->96691 96693 6a2e68 96687->96693 96694 6631ae 96687->96694 96731 6cbf30 34 API calls ___scrt_fastfail 96688->96731 96690->96689 96695 663246 CreatePopupMenu 96690->96695 96697 6a2d9c 96691->96697 96698 663201 KillTimer 96691->96698 96692 6a2e1c 96727 67e499 42 API calls 96692->96727 96730 6cc161 27 API calls ___scrt_fastfail 96693->96730 96701 6a2e4d 96694->96701 96702 6631b9 96694->96702 96695->96689 96704 6a2da1 96697->96704 96705 6a2dd7 MoveWindow 96697->96705 96722 6630f2 Shell_NotifyIconW ___scrt_fastfail 96698->96722 96701->96683 96729 6c0ad7 22 API calls 96701->96729 96709 6631c4 96702->96709 96710 663253 96702->96710 96703 6a2e8e 96703->96683 96703->96689 96711 6a2dc6 SetFocus 96704->96711 96712 6a2da7 96704->96712 96705->96689 96707 663214 96723 663c50 DeleteObject DestroyWindow 96707->96723 96708 663263 96708->96689 96709->96683 96728 6630f2 Shell_NotifyIconW ___scrt_fastfail 96709->96728 96724 66326f 44 API calls ___scrt_fastfail 96710->96724 96711->96689 96712->96709 96715 6a2db0 96712->96715 96725 6618e2 10 API calls 96715->96725 96717->96683 96720 6a2e41 96721 663837 49 API calls 96720->96721 96721->96717 96722->96707 96723->96689 96724->96708 96725->96689 96726->96692 96727->96709 96728->96720 96729->96717 96730->96708 96731->96703 96732 662e37 96733 66a961 22 API calls 96732->96733 96734 662e4d 96733->96734 96811 664ae3 96734->96811 96736 662e6b 96737 663a5a 24 API calls 96736->96737 96738 662e7f 96737->96738 96739 669cb3 22 API calls 96738->96739 96740 662e8c 96739->96740 96741 664ecb 94 API calls 96740->96741 96742 662ea5 96741->96742 96743 6a2cb0 96742->96743 96744 662ead 96742->96744 96745 6d2cf9 80 API calls 96743->96745 96747 66a8c7 22 API calls 96744->96747 96746 6a2cc3 96745->96746 96748 6a2ccf 96746->96748 96749 664f39 68 API calls 96746->96749 96750 662ec3 96747->96750 96752 664f39 68 API calls 96748->96752 96749->96748 96825 666f88 22 API calls 96750->96825 96754 6a2ce5 96752->96754 96753 662ecf 96755 669cb3 22 API calls 96753->96755 96841 663084 22 API calls 96754->96841 96756 662edc 96755->96756 96826 66a81b 41 API calls 96756->96826 96759 662eec 96761 669cb3 22 API calls 96759->96761 96760 6a2d02 96842 663084 22 API calls 96760->96842 96762 662f12 96761->96762 96827 66a81b 41 API calls 96762->96827 96765 6a2d1e 96766 663a5a 24 API calls 96765->96766 96767 6a2d44 96766->96767 96843 663084 22 API calls 96767->96843 96768 662f21 96771 66a961 22 API calls 96768->96771 96770 6a2d50 96772 66a8c7 22 API calls 96770->96772 96773 662f3f 96771->96773 96774 6a2d5e 96772->96774 96828 663084 22 API calls 96773->96828 96844 663084 22 API calls 96774->96844 96777 662f4b 96829 684a28 40 API calls 3 library calls 96777->96829 96778 6a2d6d 96783 66a8c7 22 API calls 96778->96783 96780 662f59 96780->96754 96781 662f63 96780->96781 96830 684a28 40 API calls 3 library calls 96781->96830 96785 6a2d83 96783->96785 96784 662f6e 96784->96760 96786 662f78 96784->96786 96845 663084 22 API calls 96785->96845 96831 684a28 40 API calls 3 library calls 96786->96831 96789 6a2d90 96790 662f83 96790->96765 96791 662f8d 96790->96791 96832 684a28 40 API calls 3 library calls 96791->96832 96793 662f98 96794 662fdc 96793->96794 96833 663084 22 API calls 96793->96833 96794->96778 96795 662fe8 96794->96795 96795->96789 96835 6663eb 22 API calls 96795->96835 96798 662fbf 96800 66a8c7 22 API calls 96798->96800 96799 662ff8 96836 666a50 22 API calls 96799->96836 96802 662fcd 96800->96802 96834 663084 22 API calls 96802->96834 96804 663006 96837 6670b0 23 API calls 96804->96837 96808 663021 96809 663065 96808->96809 96838 666f88 22 API calls 96808->96838 96839 6670b0 23 API calls 96808->96839 96840 663084 22 API calls 96808->96840 96812 664af0 __wsopen_s 96811->96812 96813 666b57 22 API calls 96812->96813 96814 664b22 96812->96814 96813->96814 96824 664b58 96814->96824 96846 664c6d 96814->96846 96816 664c6d 22 API calls 96816->96824 96817 669cb3 22 API calls 96821 664c52 96817->96821 96818 664c5e 96818->96736 96819 664c29 96819->96817 96819->96818 96820 669cb3 22 API calls 96820->96824 96822 66515f 22 API calls 96821->96822 96822->96818 96823 66515f 22 API calls 96823->96824 96824->96816 96824->96819 96824->96820 96824->96823 96825->96753 96826->96759 96827->96768 96828->96777 96829->96780 96830->96784 96831->96790 96832->96793 96833->96798 96834->96794 96835->96799 96836->96804 96837->96808 96838->96808 96839->96808 96840->96808 96841->96760 96842->96765 96843->96770 96844->96778 96845->96789 96847 66aec9 22 API calls 96846->96847 96848 664c78 96847->96848 96848->96814 96849 6803fb 96850 680407 BuildCatchObjectHelperInternal 96849->96850 96878 67feb1 96850->96878 96852 68040e 96853 680561 96852->96853 96856 680438 96852->96856 96905 68083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96853->96905 96855 680568 96906 684e52 28 API calls _abort 96855->96906 96867 680477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96856->96867 96889 69247d 96856->96889 96858 68056e 96907 684e04 28 API calls _abort 96858->96907 96862 680576 96863 680457 96865 6804d8 96897 680959 96865->96897 96867->96865 96901 684e1a 38 API calls 2 library calls 96867->96901 96869 6804de 96870 6804f3 96869->96870 96902 680992 GetModuleHandleW 96870->96902 96872 6804fa 96872->96855 96873 6804fe 96872->96873 96874 680507 96873->96874 96903 684df5 28 API calls _abort 96873->96903 96904 680040 13 API calls 2 library calls 96874->96904 96877 68050f 96877->96863 96879 67feba 96878->96879 96908 680698 IsProcessorFeaturePresent 96879->96908 96881 67fec6 96909 682c94 10 API calls 3 library calls 96881->96909 96883 67fecb 96884 67fecf 96883->96884 96910 692317 96883->96910 96884->96852 96887 67fee6 96887->96852 96890 692494 96889->96890 96891 680a8c CatchGuardHandler 5 API calls 96890->96891 96892 680451 96891->96892 96892->96863 96893 692421 96892->96893 96894 692450 96893->96894 96895 680a8c CatchGuardHandler 5 API calls 96894->96895 96896 692479 96895->96896 96896->96867 96961 682340 96897->96961 96900 68097f 96900->96869 96901->96865 96902->96872 96903->96874 96904->96877 96905->96855 96906->96858 96907->96862 96908->96881 96909->96883 96914 69d1f6 96910->96914 96913 682cbd 8 API calls 3 library calls 96913->96884 96915 69d213 96914->96915 96918 69d20f 96914->96918 96915->96918 96920 694bfb 96915->96920 96917 67fed8 96917->96887 96917->96913 96932 680a8c 96918->96932 96921 694c07 BuildCatchObjectHelperInternal 96920->96921 96939 692f5e EnterCriticalSection 96921->96939 96923 694c0e 96940 6950af 96923->96940 96925 694c1d 96931 694c2c 96925->96931 96953 694a8f 29 API calls 96925->96953 96928 694c3d __wsopen_s 96928->96915 96929 694c27 96954 694b45 GetStdHandle GetFileType 96929->96954 96955 694c48 LeaveCriticalSection _abort 96931->96955 96933 680a95 96932->96933 96934 680a97 IsProcessorFeaturePresent 96932->96934 96933->96917 96936 680c5d 96934->96936 96960 680c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96936->96960 96938 680d40 96938->96917 96939->96923 96941 6950bb BuildCatchObjectHelperInternal 96940->96941 96942 6950c8 96941->96942 96943 6950df 96941->96943 96957 68f2d9 20 API calls __dosmaperr 96942->96957 96956 692f5e EnterCriticalSection 96943->96956 96946 6950cd 96958 6927ec 26 API calls __wsopen_s 96946->96958 96948 695117 96959 69513e LeaveCriticalSection _abort 96948->96959 96949 6950d7 __wsopen_s 96949->96925 96950 6950eb 96950->96948 96952 695000 __wsopen_s 21 API calls 96950->96952 96952->96950 96953->96929 96954->96931 96955->96928 96956->96950 96957->96946 96958->96949 96959->96949 96960->96938 96962 68096c GetStartupInfoW 96961->96962 96962->96900 96963 661033 96968 664c91 96963->96968 96967 661042 96969 66a961 22 API calls 96968->96969 96970 664cff 96969->96970 96976 663af0 96970->96976 96973 664d9c 96974 661038 96973->96974 96979 6651f7 22 API calls __fread_nolock 96973->96979 96975 6800a3 29 API calls __onexit 96974->96975 96975->96967 96980 663b1c 96976->96980 96979->96973 96981 663b0f 96980->96981 96982 663b29 96980->96982 96981->96973 96982->96981 96983 663b30 RegOpenKeyExW 96982->96983 96983->96981 96984 663b4a RegQueryValueExW 96983->96984 96985 663b80 RegCloseKey 96984->96985 96986 663b6b 96984->96986 96985->96981 96986->96985 96987 66f7bf 96988 66fcb6 96987->96988 96989 66f7d3 96987->96989 97024 66aceb 23 API calls messages 96988->97024 96991 66fcc2 96989->96991 96992 67fddb 22 API calls 96989->96992 97025 66aceb 23 API calls messages 96991->97025 96994 66f7e5 96992->96994 96994->96991 96995 66f83e 96994->96995 96996 66fd3d 96994->96996 96998 671310 207 API calls 96995->96998 97019 66ed9d messages 96995->97019 97026 6d1155 22 API calls 96996->97026 97018 66ec76 messages 96998->97018 97000 66fef7 97006 66a8c7 22 API calls 97000->97006 97000->97019 97001 67fddb 22 API calls 97001->97018 97003 66a8c7 22 API calls 97003->97018 97004 6b4600 97009 66a8c7 22 API calls 97004->97009 97004->97019 97005 6b4b0b 97028 6d359c 82 API calls __wsopen_s 97005->97028 97006->97019 97009->97019 97011 680242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97011->97018 97012 66fbe3 97014 6b4bdc 97012->97014 97012->97019 97021 66f3ae messages 97012->97021 97013 66a961 22 API calls 97013->97018 97029 6d359c 82 API calls __wsopen_s 97014->97029 97016 6800a3 29 API calls pre_c_initialization 97016->97018 97017 6b4beb 97030 6d359c 82 API calls __wsopen_s 97017->97030 97018->97000 97018->97001 97018->97003 97018->97004 97018->97005 97018->97011 97018->97012 97018->97013 97018->97016 97018->97017 97018->97019 97020 6801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97018->97020 97018->97021 97022 6701e0 207 API calls 2 library calls 97018->97022 97023 6706a0 41 API calls messages 97018->97023 97020->97018 97021->97019 97027 6d359c 82 API calls __wsopen_s 97021->97027 97022->97018 97023->97018 97024->96991 97025->96996 97026->97019 97027->97019 97028->97019 97029->97017 97030->97019 97031 66105b 97036 66344d 97031->97036 97033 66106a 97067 6800a3 29 API calls __onexit 97033->97067 97035 661074 97037 66345d __wsopen_s 97036->97037 97038 66a961 22 API calls 97037->97038 97039 663513 97038->97039 97040 663a5a 24 API calls 97039->97040 97041 66351c 97040->97041 97068 663357 97041->97068 97044 6633c6 22 API calls 97045 663535 97044->97045 97046 66515f 22 API calls 97045->97046 97047 663544 97046->97047 97048 66a961 22 API calls 97047->97048 97049 66354d 97048->97049 97050 66a6c3 22 API calls 97049->97050 97051 663556 RegOpenKeyExW 97050->97051 97052 6a3176 RegQueryValueExW 97051->97052 97057 663578 97051->97057 97053 6a320c RegCloseKey 97052->97053 97054 6a3193 97052->97054 97055 6a321e _wcslen 97053->97055 97053->97057 97056 67fe0b 22 API calls 97054->97056 97055->97057 97064 664c6d 22 API calls 97055->97064 97065 669cb3 22 API calls 97055->97065 97066 66515f 22 API calls 97055->97066 97058 6a31ac 97056->97058 97057->97033 97059 665722 22 API calls 97058->97059 97060 6a31b7 RegQueryValueExW 97059->97060 97061 6a31d4 97060->97061 97063 6a31ee messages 97060->97063 97062 666b57 22 API calls 97061->97062 97062->97063 97063->97053 97064->97055 97065->97055 97066->97055 97067->97035 97069 6a1f50 __wsopen_s 97068->97069 97070 663364 GetFullPathNameW 97069->97070 97071 663386 97070->97071 97072 666b57 22 API calls 97071->97072 97073 6633a4 97072->97073 97073->97044 97074 661098 97079 6642de 97074->97079 97078 6610a7 97080 66a961 22 API calls 97079->97080 97081 6642f5 GetVersionExW 97080->97081 97082 666b57 22 API calls 97081->97082 97083 664342 97082->97083 97084 664378 97083->97084 97085 6693b2 22 API calls 97083->97085 97087 66441b GetCurrentProcess IsWow64Process 97084->97087 97092 6a37df 97084->97092 97086 66436c 97085->97086 97088 6637a0 22 API calls 97086->97088 97089 664437 97087->97089 97088->97084 97090 66444f LoadLibraryA 97089->97090 97091 6a3824 GetSystemInfo 97089->97091 97093 664460 GetProcAddress 97090->97093 97094 66449c GetSystemInfo 97090->97094 97093->97094 97095 664470 GetNativeSystemInfo 97093->97095 97096 664476 97094->97096 97095->97096 97097 66109d 97096->97097 97098 66447a FreeLibrary 97096->97098 97099 6800a3 29 API calls __onexit 97097->97099 97098->97097 97099->97078

                                                                                        Executed Functions

                                                                                        Function 006642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 234 6642de-66434d call 66a961 GetVersionExW call 666b57 239 664353 234->239 240 6a3617-6a362a 234->240 241 664355-664357 239->241 242 6a362b-6a362f 240->242 243 66435d-6643bc call 6693b2 call 6637a0 241->243 244 6a3656 241->244 245 6a3632-6a363e 242->245 246 6a3631 242->246 263 6643c2-6643c4 243->263 264 6a37df-6a37e6 243->264 250 6a365d-6a3660 244->250 245->242 247 6a3640-6a3642 245->247 246->245 247->241 249 6a3648-6a364f 247->249 249->240 252 6a3651 249->252 253 6a3666-6a36a8 250->253 254 66441b-664435 GetCurrentProcess IsWow64Process 250->254 252->244 253->254 258 6a36ae-6a36b1 253->258 256 664437 254->256 257 664494-66449a 254->257 260 66443d-664449 256->260 257->260 261 6a36db-6a36e5 258->261 262 6a36b3-6a36bd 258->262 265 66444f-66445e LoadLibraryA 260->265 266 6a3824-6a3828 GetSystemInfo 260->266 270 6a36f8-6a3702 261->270 271 6a36e7-6a36f3 261->271 267 6a36ca-6a36d6 262->267 268 6a36bf-6a36c5 262->268 263->250 269 6643ca-6643dd 263->269 272 6a37e8 264->272 273 6a3806-6a3809 264->273 278 664460-66446e GetProcAddress 265->278 279 66449c-6644a6 GetSystemInfo 265->279 267->254 268->254 280 6643e3-6643e5 269->280 281 6a3726-6a372f 269->281 274 6a3704-6a3710 270->274 275 6a3715-6a3721 270->275 271->254 282 6a37ee 272->282 276 6a380b-6a381a 273->276 277 6a37f4-6a37fc 273->277 274->254 275->254 276->282 285 6a381c-6a3822 276->285 277->273 278->279 286 664470-664474 GetNativeSystemInfo 278->286 287 664476-664478 279->287 288 6a374d-6a3762 280->288 289 6643eb-6643ee 280->289 283 6a373c-6a3748 281->283 284 6a3731-6a3737 281->284 282->277 283->254 284->254 285->277 286->287 294 664481-664493 287->294 295 66447a-66447b FreeLibrary 287->295 292 6a376f-6a377b 288->292 293 6a3764-6a376a 288->293 290 6643f4-66440f 289->290 291 6a3791-6a3794 289->291 296 664415 290->296 297 6a3780-6a378c 290->297 291->254 298 6a379a-6a37c1 291->298 292->254 293->254 295->294 296->254 297->254 299 6a37ce-6a37da 298->299 300 6a37c3-6a37c9 298->300 299->254 300->254
                                                                                        APIs
                                                                                        • GetVersionExW.KERNEL32(?), ref: 0066430D
                                                                                          • Part of subcall function 00666B57: _wcslen.LIBCMT ref: 00666B6A
                                                                                        • GetCurrentProcess.KERNEL32(?,006FCB64,00000000,?,?), ref: 00664422
                                                                                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 00664429
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00664454
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00664466
                                                                                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00664474
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0066447B
                                                                                        • GetSystemInfo.KERNEL32(?,?,?), ref: 006644A0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                        • API String ID: 3290436268-3101561225
                                                                                        • Opcode ID: bd2738eb64e9cb523d0c7ae7bd172129eb58d6f7da2d90ef2c137649f9a54624
                                                                                        • Instruction ID: 5a52d9807434740b547f8faba4454ddbe3f2462584e38d709e74dd281180681d
                                                                                        • Opcode Fuzzy Hash: bd2738eb64e9cb523d0c7ae7bd172129eb58d6f7da2d90ef2c137649f9a54624
                                                                                        • Instruction Fuzzy Hash: 2DA1B77290A3D0DFE711D7797D411E57FE6AB27342B88D899E08193B22DA384909CF2D
                                                                                        Function 006642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1270 6642a2-6642ba CreateStreamOnHGlobal 1271 6642bc-6642d3 FindResourceExW 1270->1271 1272 6642da-6642dd 1270->1272 1273 6a35ba-6a35c9 LoadResource 1271->1273 1274 6642d9 1271->1274 1273->1274 1275 6a35cf-6a35dd SizeofResource 1273->1275 1274->1272 1275->1274 1276 6a35e3-6a35ee LockResource 1275->1276 1276->1274 1277 6a35f4-6a3612 1276->1277 1277->1274
                                                                                        APIs
                                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006650AA,?,?,00000000,00000000), ref: 006642B2
                                                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006650AA,?,?,00000000,00000000), ref: 006642C9
                                                                                        • LoadResource.KERNEL32(?,00000000,?,?,006650AA,?,?,00000000,00000000,?,?,?,?,?,?,00664F20), ref: 006A35BE
                                                                                        • SizeofResource.KERNEL32(?,00000000,?,?,006650AA,?,?,00000000,00000000,?,?,?,?,?,?,00664F20), ref: 006A35D3
                                                                                        • LockResource.KERNEL32(006650AA,?,?,006650AA,?,?,00000000,00000000,?,?,?,?,?,?,00664F20,?), ref: 006A35E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                        • String ID: SCRIPT
                                                                                        • API String ID: 3051347437-3967369404
                                                                                        • Opcode ID: cee9b974825a9c41f18bd561c77f076896e5834efad92a62aa62e28af53de970
                                                                                        • Instruction ID: 711b33a7bbf716ce34c5d1b0e6ba9c378f6f0e8d93f9ca1694ba436ef7a9f6b6
                                                                                        • Opcode Fuzzy Hash: cee9b974825a9c41f18bd561c77f076896e5834efad92a62aa62e28af53de970
                                                                                        • Instruction Fuzzy Hash: 60115A70200604AFD7218B65DD59F677BBEEFC5B61F204169F40296250DB71DD10DA20
                                                                                        Function 006A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00662B6B
                                                                                          • Part of subcall function 00663A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00731418,?,00662E7F,?,?,?,00000000), ref: 00663A78
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        • GetForegroundWindow.USER32(runas,?,?,?,?,?,00722224), ref: 006A2C10
                                                                                        • ShellExecuteW.SHELL32(00000000,?,?,00722224), ref: 006A2C17
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                        • String ID: runas
                                                                                        • API String ID: 448630720-4000483414
                                                                                        • Opcode ID: 6d55d9225386fc7d598b4527203eb5e78d7e4db35841a50f819ae506ae0ce391
                                                                                        • Instruction ID: f9fd44e8387d5140de24f7db131ccac93aea96eec484e9f5396f92d0e5b443b1
                                                                                        • Opcode Fuzzy Hash: 6d55d9225386fc7d598b4527203eb5e78d7e4db35841a50f819ae506ae0ce391
                                                                                        • Instruction Fuzzy Hash: B2113B31208396ABC744FF60E8619BEB7ABEF91354F44142CF482132A3CF35894AD716
                                                                                        Function 0066D730 Relevance: 21.6, APIs: 14, Instructions: 622windowsleeptimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetInputState.USER32 ref: 0066D807
                                                                                        • timeGetTime.WINMM ref: 0066DA07
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0066DB28
                                                                                        • TranslateMessage.USER32(?), ref: 0066DB7B
                                                                                        • DispatchMessageW.USER32(?), ref: 0066DB89
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0066DB9F
                                                                                        • Sleep.KERNEL32(0000000A), ref: 0066DBB1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                        • String ID:
                                                                                        • API String ID: 2189390790-0
                                                                                        • Opcode ID: 4d3b6eaa03616c509d771b7e10d5f4760c2d7f8478d76553821d4f94d8dfe064
                                                                                        • Instruction ID: f9211105aad10441ac6bc8db3177ad7f3244e25687e17cc95fdadbd7289cc150
                                                                                        • Opcode Fuzzy Hash: 4d3b6eaa03616c509d771b7e10d5f4760c2d7f8478d76553821d4f94d8dfe064
                                                                                        • Instruction Fuzzy Hash: 0742D1B0B08242EFD728CF24C894BEAB7E2BF46314F14865DE4558B391D774E885CB96
                                                                                        Function 00662CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00662D07
                                                                                        • RegisterClassExW.USER32(00000030), ref: 00662D31
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00662D42
                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00662D5F
                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00662D6F
                                                                                        • LoadIconW.USER32(000000A9), ref: 00662D85
                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00662D94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                        • API String ID: 2914291525-1005189915
                                                                                        • Opcode ID: c73ec590fd5a404de956455bcddc5e712261e2b75dee4101f0a68c0286fb050e
                                                                                        • Instruction ID: 2358c576d8e4f9733f8a2bb3e118f0359f3b94cc969b88de5583beea7d33a0ca
                                                                                        • Opcode Fuzzy Hash: c73ec590fd5a404de956455bcddc5e712261e2b75dee4101f0a68c0286fb050e
                                                                                        • Instruction Fuzzy Hash: C221E3B190124CEFEB00DFA4E949BEDBBB5FB08711F00811AF611A62A0D7B51544CF95
                                                                                        Function 006A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 302 6a065b-6a068b call 6a042f 305 6a068d-6a0698 call 68f2c6 302->305 306 6a06a6-6a06b2 call 695221 302->306 311 6a069a-6a06a1 call 68f2d9 305->311 312 6a06cb-6a0714 call 6a039a 306->312 313 6a06b4-6a06c9 call 68f2c6 call 68f2d9 306->313 323 6a097d-6a0983 311->323 321 6a0781-6a078a GetFileType 312->321 322 6a0716-6a071f 312->322 313->311 327 6a078c-6a07bd GetLastError call 68f2a3 CloseHandle 321->327 328 6a07d3-6a07d6 321->328 325 6a0721-6a0725 322->325 326 6a0756-6a077c GetLastError call 68f2a3 322->326 325->326 331 6a0727-6a0754 call 6a039a 325->331 326->311 327->311 339 6a07c3-6a07ce call 68f2d9 327->339 329 6a07d8-6a07dd 328->329 330 6a07df-6a07e5 328->330 335 6a07e9-6a0837 call 69516a 329->335 330->335 336 6a07e7 330->336 331->321 331->326 345 6a0839-6a0845 call 6a05ab 335->345 346 6a0847-6a086b call 6a014d 335->346 336->335 339->311 345->346 353 6a086f-6a0879 call 6986ae 345->353 351 6a087e-6a08c1 346->351 352 6a086d 346->352 355 6a08e2-6a08f0 351->355 356 6a08c3-6a08c7 351->356 352->353 353->323 359 6a097b 355->359 360 6a08f6-6a08fa 355->360 356->355 358 6a08c9-6a08dd 356->358 358->355 359->323 360->359 361 6a08fc-6a092f CloseHandle call 6a039a 360->361 364 6a0963-6a0977 361->364 365 6a0931-6a095d GetLastError call 68f2a3 call 695333 361->365 364->359 365->364
                                                                                        APIs
                                                                                          • Part of subcall function 006A039A: CreateFileW.KERNELBASE(00000000,00000000,?,006A0704,?,?,00000000,?,006A0704,00000000,0000000C), ref: 006A03B7
                                                                                        • GetLastError.KERNEL32 ref: 006A076F
                                                                                        • __dosmaperr.LIBCMT ref: 006A0776
                                                                                        • GetFileType.KERNELBASE(00000000), ref: 006A0782
                                                                                        • GetLastError.KERNEL32 ref: 006A078C
                                                                                        • __dosmaperr.LIBCMT ref: 006A0795
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 006A07B5
                                                                                        • CloseHandle.KERNEL32(?), ref: 006A08FF
                                                                                        • GetLastError.KERNEL32 ref: 006A0931
                                                                                        • __dosmaperr.LIBCMT ref: 006A0938
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                        • String ID: H
                                                                                        • API String ID: 4237864984-2852464175
                                                                                        • Opcode ID: 1fa2fb08f3fe92468f6261fa0de295bfbbe8c94eb1b43458fe05f6958b3ec59b
                                                                                        • Instruction ID: b7b12ef1895e3d5bf9a973da21d1c36ba55428da306ea05d19b47e7a04bfead1
                                                                                        • Opcode Fuzzy Hash: 1fa2fb08f3fe92468f6261fa0de295bfbbe8c94eb1b43458fe05f6958b3ec59b
                                                                                        • Instruction Fuzzy Hash: B2A11432A001098FEF19BF68D861BAE7BA2AB07324F14415DF815EB391DB359D12CF95
                                                                                        Function 0066344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 00663A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00731418,?,00662E7F,?,?,?,00000000), ref: 00663A78
                                                                                          • Part of subcall function 00663357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00663379
                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0066356A
                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006A318D
                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006A31CE
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 006A3210
                                                                                        • _wcslen.LIBCMT ref: 006A3277
                                                                                        • _wcslen.LIBCMT ref: 006A3286
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                        • API String ID: 98802146-2727554177
                                                                                        • Opcode ID: f658fe21e3b7993d7db019d36fe8763bec61d6ba1b41729e03bbcf0aac6ab1c9
                                                                                        • Instruction ID: 718e41b3cba46621feece6863cce2a5aa1522f02dfc61a6839c7617547e2c88c
                                                                                        • Opcode Fuzzy Hash: f658fe21e3b7993d7db019d36fe8763bec61d6ba1b41729e03bbcf0aac6ab1c9
                                                                                        • Instruction Fuzzy Hash: EE7104714043009ED314EF65EC829ABBBE9FF85350F50852EF545C3262EB389A09CF6A
                                                                                        Function 00662B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00662B8E
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00662B9D
                                                                                        • LoadIconW.USER32(00000063), ref: 00662BB3
                                                                                        • LoadIconW.USER32(000000A4), ref: 00662BC5
                                                                                        • LoadIconW.USER32(000000A2), ref: 00662BD7
                                                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00662BEF
                                                                                        • RegisterClassExW.USER32(?), ref: 00662C40
                                                                                          • Part of subcall function 00662CD4: GetSysColorBrush.USER32(0000000F), ref: 00662D07
                                                                                          • Part of subcall function 00662CD4: RegisterClassExW.USER32(00000030), ref: 00662D31
                                                                                          • Part of subcall function 00662CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00662D42
                                                                                          • Part of subcall function 00662CD4: InitCommonControlsEx.COMCTL32(?), ref: 00662D5F
                                                                                          • Part of subcall function 00662CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00662D6F
                                                                                          • Part of subcall function 00662CD4: LoadIconW.USER32(000000A9), ref: 00662D85
                                                                                          • Part of subcall function 00662CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00662D94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                        • String ID: #$0$AutoIt v3
                                                                                        • API String ID: 423443420-4155596026
                                                                                        • Opcode ID: 7ab16b38a126fab239f350a798282a5d4cd478efedfcd9af2029389785e06300
                                                                                        • Instruction ID: 06bd3b3e4032b93ca09bd3817d83c519e9271feb886a565abb265b16e691ec7f
                                                                                        • Opcode Fuzzy Hash: 7ab16b38a126fab239f350a798282a5d4cd478efedfcd9af2029389785e06300
                                                                                        • Instruction Fuzzy Hash: 09213EB1E00318AFEB109FA6ED55BAD7FB5FB48B51F40801AF500A66A0D7B91544CF98
                                                                                        Function 0066B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 0066BB4E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer
                                                                                        • String ID: p#s$p#s$p#s$p#s$p%s$p%s$x#s$x#s
                                                                                        • API String ID: 1385522511-2360114552
                                                                                        • Opcode ID: 5e286ac7367bb20127ef971850dab382a1af22053c39a558650e18b9e2411fcb
                                                                                        • Instruction ID: 0ffa783945305ebeaa916a4bcb14913054f5edfc079f1e3f5ce5aa1a216835b9
                                                                                        • Opcode Fuzzy Hash: 5e286ac7367bb20127ef971850dab382a1af22053c39a558650e18b9e2411fcb
                                                                                        • Instruction Fuzzy Hash: BC328E74A00209DFEB24CF58C894AFEBBBBEF45314F148059E905AB352D774AD82CB95
                                                                                        Function 00663170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 650 663170-663185 651 663187-66318a 650->651 652 6631e5-6631e7 650->652 653 66318c-663193 651->653 654 6631eb 651->654 652->651 655 6631e9 652->655 656 663265-66326d PostQuitMessage 653->656 657 663199-66319e 653->657 659 6a2dfb-6a2e23 call 6618e2 call 67e499 654->659 660 6631f1-6631f6 654->660 658 6631d0-6631d8 DefWindowProcW 655->658 665 663219-66321b 656->665 662 6631a4-6631a8 657->662 663 6a2e7c-6a2e90 call 6cbf30 657->663 664 6631de-6631e4 658->664 694 6a2e28-6a2e2f 659->694 666 66321d-663244 SetTimer RegisterWindowMessageW 660->666 667 6631f8-6631fb 660->667 669 6a2e68-6a2e77 call 6cc161 662->669 670 6631ae-6631b3 662->670 663->665 688 6a2e96 663->688 665->664 666->665 671 663246-663251 CreatePopupMenu 666->671 673 6a2d9c-6a2d9f 667->673 674 663201-663214 KillTimer call 6630f2 call 663c50 667->674 669->665 677 6a2e4d-6a2e54 670->677 678 6631b9-6631be 670->678 671->665 680 6a2da1-6a2da5 673->680 681 6a2dd7-6a2df6 MoveWindow 673->681 674->665 677->658 691 6a2e5a-6a2e63 call 6c0ad7 677->691 686 6631c4-6631ca 678->686 687 663253-663263 call 66326f 678->687 689 6a2dc6-6a2dd2 SetFocus 680->689 690 6a2da7-6a2daa 680->690 681->665 686->658 686->694 687->665 688->658 689->665 690->686 695 6a2db0-6a2dc1 call 6618e2 690->695 691->658 694->658 699 6a2e35-6a2e48 call 6630f2 call 663837 694->699 695->665 699->658
                                                                                        APIs
                                                                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0066316A,?,?), ref: 006631D8
                                                                                        • KillTimer.USER32(?,00000001,?,?,?,?,?,0066316A,?,?), ref: 00663204
                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00663227
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0066316A,?,?), ref: 00663232
                                                                                        • CreatePopupMenu.USER32 ref: 00663246
                                                                                        • PostQuitMessage.USER32(00000000), ref: 00663267
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                        • String ID: TaskbarCreated
                                                                                        • API String ID: 129472671-2362178303
                                                                                        • Opcode ID: dc39179233210545bf86c85cca2ff9fbe772f6303128a38103dd4a7ece148d05
                                                                                        • Instruction ID: 40c03c5e1285774447ce30496f7b3a0fc9527063f9f59a64a7f984920a82b57a
                                                                                        • Opcode Fuzzy Hash: dc39179233210545bf86c85cca2ff9fbe772f6303128a38103dd4a7ece148d05
                                                                                        • Instruction Fuzzy Hash: CF415931240264A7EB142B7C9D6DBF93B5FEB06350F444129FA02C63A2C77A9F41CB69
                                                                                        Function 0066DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: D%s$D%s$D%s$D%s$D%sD%s$Variable must be of type 'Object'.
                                                                                        • API String ID: 0-2674537417
                                                                                        • Opcode ID: 886711702d0ca1d62c2079f7846015a103383d51984c1d6852eb840a71ee3275
                                                                                        • Instruction ID: 54d5ac25259c226e07e9547a5061c8e843725ac947e863eb161adc6c52f697dc
                                                                                        • Opcode Fuzzy Hash: 886711702d0ca1d62c2079f7846015a103383d51984c1d6852eb840a71ee3275
                                                                                        • Instruction Fuzzy Hash: B1C29F79A00215CFDB24CF58C880AADB7F2FF09310F248569E915AB351D776ED82CB95
                                                                                        Function 00CB5178 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1216 cb5178-cb5226 call cb2b78 1219 cb522d-cb5253 call cb6088 CreateFileW 1216->1219 1222 cb525a-cb526a 1219->1222 1223 cb5255 1219->1223 1228 cb526c 1222->1228 1229 cb5271-cb528b VirtualAlloc 1222->1229 1224 cb53a5-cb53a9 1223->1224 1226 cb53eb-cb53ee 1224->1226 1227 cb53ab-cb53af 1224->1227 1230 cb53f1-cb53f8 1226->1230 1231 cb53bb-cb53bf 1227->1231 1232 cb53b1-cb53b4 1227->1232 1228->1224 1233 cb528d 1229->1233 1234 cb5292-cb52a9 ReadFile 1229->1234 1235 cb53fa-cb5405 1230->1235 1236 cb544d-cb5462 1230->1236 1237 cb53cf-cb53d3 1231->1237 1238 cb53c1-cb53cb 1231->1238 1232->1231 1233->1224 1243 cb52ab 1234->1243 1244 cb52b0-cb52f0 VirtualAlloc 1234->1244 1245 cb5409-cb5415 1235->1245 1246 cb5407 1235->1246 1239 cb5472-cb547a 1236->1239 1240 cb5464-cb546f VirtualFree 1236->1240 1241 cb53e3 1237->1241 1242 cb53d5-cb53df 1237->1242 1238->1237 1240->1239 1241->1226 1242->1241 1243->1224 1247 cb52f2 1244->1247 1248 cb52f7-cb5312 call cb62d8 1244->1248 1249 cb5429-cb5435 1245->1249 1250 cb5417-cb5427 1245->1250 1246->1236 1247->1224 1256 cb531d-cb5327 1248->1256 1253 cb5442-cb5448 1249->1253 1254 cb5437-cb5440 1249->1254 1252 cb544b 1250->1252 1252->1230 1253->1252 1254->1252 1257 cb535a-cb536e call cb60e8 1256->1257 1258 cb5329-cb5358 call cb62d8 1256->1258 1264 cb5372-cb5376 1257->1264 1265 cb5370 1257->1265 1258->1256 1266 cb5378-cb537c CloseHandle 1264->1266 1267 cb5382-cb5386 1264->1267 1265->1224 1266->1267 1268 cb5388-cb5393 VirtualFree 1267->1268 1269 cb5396-cb539f 1267->1269 1268->1269 1269->1219 1269->1224
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00CB5249
                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CB546F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1383162824.0000000000CB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_cb2000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFileFreeVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 204039940-0
                                                                                        • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                                        • Instruction ID: b9aadad13aec6b880142e8d014156c1fa453027d8b1204219eb05e4fcef91e6a
                                                                                        • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                                        • Instruction Fuzzy Hash: F1A10674E00209EBEF14CFA4C894BEEBBB5BF48305F208159E611BB290D7B59A81DF55
                                                                                        Function 00662C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1280 662c63-662cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00662C91
                                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00662CB2
                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00661CAD,?), ref: 00662CC6
                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00661CAD,?), ref: 00662CCF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CreateShow
                                                                                        • String ID: AutoIt v3$edit
                                                                                        • API String ID: 1584632944-3779509399
                                                                                        • Opcode ID: ca2a4d7225a3308f2f09c16042fc4efbe31d91e09fe36702e1c11e65ca3114cc
                                                                                        • Instruction ID: 29c16b1ff0223cf9467fef86ea3bee99f1dcce29ca072ac8ca52961a73a235cf
                                                                                        • Opcode Fuzzy Hash: ca2a4d7225a3308f2f09c16042fc4efbe31d91e09fe36702e1c11e65ca3114cc
                                                                                        • Instruction Fuzzy Hash: C2F03A755402987AFB301B13AC18EB72FBED7C6F61B40801AFA00A35A0C2690844DEB8
                                                                                        Function 00CB4F28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1395 cb4f28-cb506c call cb2b78 call cb4e18 CreateFileW 1402 cb506e 1395->1402 1403 cb5073-cb5083 1395->1403 1404 cb5123-cb5128 1402->1404 1406 cb508a-cb50a4 VirtualAlloc 1403->1406 1407 cb5085 1403->1407 1408 cb50a8-cb50bf ReadFile 1406->1408 1409 cb50a6 1406->1409 1407->1404 1410 cb50c3-cb50fd call cb4e58 call cb3e18 1408->1410 1411 cb50c1 1408->1411 1409->1404 1416 cb5119-cb5121 ExitProcess 1410->1416 1417 cb50ff-cb5114 call cb4ea8 1410->1417 1411->1404 1416->1404 1417->1416
                                                                                        APIs
                                                                                          • Part of subcall function 00CB4E18: Sleep.KERNELBASE(000001F4), ref: 00CB4E29
                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00CB5062
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1383162824.0000000000CB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_cb2000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFileSleep
                                                                                        • String ID: S9P311CBNO6N2XWRLMKQ
                                                                                        • API String ID: 2694422964-1729131502
                                                                                        • Opcode ID: a704b1a58720026e2eb8ba840ce4250866e41624508d412e47c07ef222a3c233
                                                                                        • Instruction ID: 614f691de508b1e3e3e6863bd473f6bdcf6e5189e5dd191812779d5b03489062
                                                                                        • Opcode Fuzzy Hash: a704b1a58720026e2eb8ba840ce4250866e41624508d412e47c07ef222a3c233
                                                                                        • Instruction Fuzzy Hash: B651B431D04288EAEF11DBA4D854BEEBB75AF19700F004199E248BB2C1D7BA4B44CBA5
                                                                                        Function 00663B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1729 663b1c-663b27 1730 663b99-663b9b 1729->1730 1731 663b29-663b2e 1729->1731 1732 663b8c-663b8f 1730->1732 1731->1730 1733 663b30-663b48 RegOpenKeyExW 1731->1733 1733->1730 1734 663b4a-663b69 RegQueryValueExW 1733->1734 1735 663b80-663b8b RegCloseKey 1734->1735 1736 663b6b-663b76 1734->1736 1735->1732 1737 663b90-663b97 1736->1737 1738 663b78-663b7a 1736->1738 1739 663b7e 1737->1739 1738->1739 1739->1735
                                                                                        APIs
                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00663B0F,SwapMouseButtons,00000004,?), ref: 00663B40
                                                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00663B0F,SwapMouseButtons,00000004,?), ref: 00663B61
                                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00663B0F,SwapMouseButtons,00000004,?), ref: 00663B83
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID: Control Panel\Mouse
                                                                                        • API String ID: 3677997916-824357125
                                                                                        • Opcode ID: 4979c42979eca9b386a7a7ee6f17716c1171567670a2b23b5f44207b6f8e54bd
                                                                                        • Instruction ID: d01d1c99ce9aaa5657a5706a50c93a3381b8f70412bd86f71d55f1393cd92adb
                                                                                        • Opcode Fuzzy Hash: 4979c42979eca9b386a7a7ee6f17716c1171567670a2b23b5f44207b6f8e54bd
                                                                                        • Instruction Fuzzy Hash: A0115AB1510218FFDB208FA4DC44EEEB7B9EF21754B104459A801D7210D6319E419760
                                                                                        Function 00CB3E18 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1740 cb3e18-cb3eb8 call cb62b8 * 3 1747 cb3eba-cb3ec4 1740->1747 1748 cb3ecf 1740->1748 1747->1748 1750 cb3ec6-cb3ecd 1747->1750 1749 cb3ed6-cb3edf 1748->1749 1751 cb3ee6-cb4598 1749->1751 1750->1749 1752 cb45ab-cb45d8 CreateProcessW 1751->1752 1753 cb459a-cb459e 1751->1753 1760 cb45da-cb45dd 1752->1760 1761 cb45e2 1752->1761 1754 cb45a0-cb45a4 1753->1754 1755 cb45e4-cb4611 1753->1755 1756 cb461d-cb464a 1754->1756 1757 cb45a6 1754->1757 1776 cb461b 1755->1776 1777 cb4613-cb4616 1755->1777 1759 cb4654-cb466e Wow64GetThreadContext 1756->1759 1781 cb464c-cb464f 1756->1781 1757->1759 1764 cb4670 1759->1764 1765 cb4675-cb4690 ReadProcessMemory 1759->1765 1766 cb49d9-cb49db 1760->1766 1761->1759 1767 cb4982-cb4986 1764->1767 1768 cb4692 1765->1768 1769 cb4697-cb46a0 1765->1769 1774 cb4988-cb498c 1767->1774 1775 cb49d7 1767->1775 1768->1767 1772 cb46c9-cb46e8 call cb5938 1769->1772 1773 cb46a2-cb46b1 1769->1773 1788 cb46ea 1772->1788 1789 cb46ef-cb4712 call cb5a78 1772->1789 1773->1772 1782 cb46b3-cb46c2 call cb5888 1773->1782 1778 cb498e-cb499a 1774->1778 1779 cb49a1-cb49a5 1774->1779 1775->1766 1776->1759 1777->1766 1778->1779 1784 cb49b1-cb49b5 1779->1784 1785 cb49a7-cb49aa 1779->1785 1781->1766 1782->1772 1793 cb46c4 1782->1793 1790 cb49c1-cb49c5 1784->1790 1791 cb49b7-cb49ba 1784->1791 1785->1784 1788->1767 1799 cb475c-cb477d call cb5a78 1789->1799 1800 cb4714-cb471b 1789->1800 1795 cb49d2-cb49d5 1790->1795 1796 cb49c7-cb49cd call cb5888 1790->1796 1791->1790 1793->1767 1795->1766 1796->1795 1806 cb477f 1799->1806 1807 cb4784-cb47a2 call cb62d8 1799->1807 1802 cb471d-cb4747 call cb5a78 1800->1802 1803 cb4757 1800->1803 1808 cb474c-cb474e 1802->1808 1803->1767 1806->1767 1813 cb47ad-cb47b7 1807->1813 1810 cb4750 1808->1810 1811 cb4755 1808->1811 1810->1767 1811->1799 1814 cb47b9-cb47eb call cb62d8 1813->1814 1815 cb47ed-cb47f1 1813->1815 1814->1813 1817 cb48dc-cb48f9 call cb5488 1815->1817 1818 cb47f7-cb4807 1815->1818 1825 cb48fb 1817->1825 1826 cb4900-cb491f Wow64SetThreadContext 1817->1826 1818->1817 1821 cb480d-cb481d 1818->1821 1821->1817 1824 cb4823-cb4847 1821->1824 1827 cb484a-cb484e 1824->1827 1825->1767 1829 cb4923-cb492e call cb57b8 1826->1829 1830 cb4921 1826->1830 1827->1817 1828 cb4854-cb4869 1827->1828 1831 cb487d-cb4881 1828->1831 1836 cb4932-cb4936 1829->1836 1837 cb4930 1829->1837 1830->1767 1833 cb48bf-cb48d7 1831->1833 1834 cb4883-cb488f 1831->1834 1833->1827 1838 cb48bd 1834->1838 1839 cb4891-cb48bb 1834->1839 1840 cb4938-cb493b 1836->1840 1841 cb4942-cb4946 1836->1841 1837->1767 1838->1831 1839->1838 1840->1841 1843 cb4948-cb494b 1841->1843 1844 cb4952-cb4956 1841->1844 1843->1844 1845 cb4958-cb495b 1844->1845 1846 cb4962-cb4966 1844->1846 1845->1846 1847 cb4968-cb496e call cb5888 1846->1847 1848 cb4973-cb497c 1846->1848 1847->1848 1848->1751 1848->1767
                                                                                        APIs
                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 00CB45D3
                                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CB4669
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CB468B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1383162824.0000000000CB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_cb2000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 2438371351-0
                                                                                        • Opcode ID: 6e999cef06aac06fcde311c2673bbf8567a4d88a660ea8880241fb15dada5407
                                                                                        • Instruction ID: 27b368d32f8bef9b74cc21c23941d5ffd2fed964680dbdd400cce04c7d493c89
                                                                                        • Opcode Fuzzy Hash: 6e999cef06aac06fcde311c2673bbf8567a4d88a660ea8880241fb15dada5407
                                                                                        • Instruction Fuzzy Hash: 93620B30A14658DBEB24CFA4C841BDEB376EF58300F1091A9D11DEB391E77A9E81CB59
                                                                                        Function 00663923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1850 663923-663939 1851 663a13-663a17 1850->1851 1852 66393f-663954 call 666270 1850->1852 1855 6a3393-6a33a2 LoadStringW 1852->1855 1856 66395a-663976 call 666b57 1852->1856 1859 6a33ad-6a33b6 1855->1859 1862 6a33c9-6a33e5 call 666350 call 663fcf 1856->1862 1863 66397c-663980 1856->1863 1860 663994-663a0e call 682340 call 663a18 call 684983 Shell_NotifyIconW call 66988f 1859->1860 1861 6a33bc-6a33c4 call 66a8c7 1859->1861 1860->1851 1861->1860 1862->1860 1876 6a33eb-6a3409 call 6633c6 call 663fcf call 6633c6 1862->1876 1863->1859 1865 663986-66398f call 666350 1863->1865 1865->1860 1876->1860
                                                                                        APIs
                                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006A33A2
                                                                                          • Part of subcall function 00666B57: _wcslen.LIBCMT ref: 00666B6A
                                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00663A04
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconLoadNotifyShell_String_wcslen
                                                                                        • String ID: Line:
                                                                                        • API String ID: 2289894680-1585850449
                                                                                        • Opcode ID: 5a92dbb92b79457c0d062092e09f95151ca63aa90b370127189e4ce68e675da2
                                                                                        • Instruction ID: c349b98b46dbc069f68c7c219917ae7a88fdfff6f14d49bf4dd8ba8f1d982908
                                                                                        • Opcode Fuzzy Hash: 5a92dbb92b79457c0d062092e09f95151ca63aa90b370127189e4ce68e675da2
                                                                                        • Instruction Fuzzy Hash: 1E31D471408324AED765EB20DC45BEBB7DAAF40710F00462EF599932D1EF749A49CBCA
                                                                                        Function 00662DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 006A2C8C
                                                                                          • Part of subcall function 00663AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00663A97,?,?,00662E7F,?,?,?,00000000), ref: 00663AC2
                                                                                          • Part of subcall function 00662DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00662DC4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Name$Path$FileFullLongOpen
                                                                                        • String ID: X$`er
                                                                                        • API String ID: 779396738-256315308
                                                                                        • Opcode ID: be6a582c270aeddf2de48a4f435645793c90d7f6ec976dae1812ebb87590f9d0
                                                                                        • Instruction ID: 0d8f767d5d79a738d52ed29a2a0a175fc94ca90fdc5fb224800dfa7def3a31fe
                                                                                        • Opcode Fuzzy Hash: be6a582c270aeddf2de48a4f435645793c90d7f6ec976dae1812ebb87590f9d0
                                                                                        • Instruction Fuzzy Hash: FA21D870A002989FCB41EF94D8557EE7BFAAF49314F00806EE405A7341DFB85A498F65
                                                                                        Function 0067FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00680668
                                                                                          • Part of subcall function 006832A4: RaiseException.KERNEL32(?,?,?,0068068A,?,00731444,?,?,?,?,?,?,0068068A,00661129,00728738,00661129), ref: 00683304
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00680685
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                        • String ID: Unknown exception
                                                                                        • API String ID: 3476068407-410509341
                                                                                        • Opcode ID: af73550351bea2f442e2a2594e947a9deaf8823851b156f9522ad231bcc3530b
                                                                                        • Instruction ID: bf5c0db7779c7ce4b0a7c5215e6475204bb8f9b8e93f62f2ff282530058c287a
                                                                                        • Opcode Fuzzy Hash: af73550351bea2f442e2a2594e947a9deaf8823851b156f9522ad231bcc3530b
                                                                                        • Instruction Fuzzy Hash: C7F0283490020D77CB90B764E856C9D776F5E00310B608A35B92891692EF31DB5ACB85
                                                                                        Function 006E7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 006E82F5
                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 006E82FC
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 006E84DD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CurrentFreeLibraryTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 146820519-0
                                                                                        • Opcode ID: 2b71d7bac3fbb47e8752f3d0379c254566b13eb6fb189a4c43478d5156fb832c
                                                                                        • Instruction ID: 66737a5550d370a917c76c9f533fd8057719f0e05f7b2ab136b5640f8329b374
                                                                                        • Opcode Fuzzy Hash: 2b71d7bac3fbb47e8752f3d0379c254566b13eb6fb189a4c43478d5156fb832c
                                                                                        • Instruction Fuzzy Hash: EB126A71908341DFC754DF29C484B6ABBE6FF85318F04895DE8898B392DB31E946CB92
                                                                                        Function 006610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00661BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00661BF4
                                                                                          • Part of subcall function 00661BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00661BFC
                                                                                          • Part of subcall function 00661BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00661C07
                                                                                          • Part of subcall function 00661BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00661C12
                                                                                          • Part of subcall function 00661BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00661C1A
                                                                                          • Part of subcall function 00661BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00661C22
                                                                                          • Part of subcall function 00661B4A: RegisterWindowMessageW.USER32(00000004,?,006612C4), ref: 00661BA2
                                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0066136A
                                                                                        • OleInitialize.OLE32 ref: 00661388
                                                                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 006A24AB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1986988660-0
                                                                                        • Opcode ID: 564a5477f4054a1e6888802aba25ba3cda159fc8a88ad5c6dbb2ab646b81201f
                                                                                        • Instruction ID: 988a3c27441e9cd1005d138c7dc98133c176859610c8cb334268e064d5f97f01
                                                                                        • Opcode Fuzzy Hash: 564a5477f4054a1e6888802aba25ba3cda159fc8a88ad5c6dbb2ab646b81201f
                                                                                        • Instruction Fuzzy Hash: F071CCB59012448FE384DFB9AD456A53BE2BB893627D4C22ED14AC7362EB384421CF5D
                                                                                        Function 006986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CloseHandle.KERNELBASE(00000000,00000000,?,?,006985CC,?,00728CC8,0000000C), ref: 00698704
                                                                                        • GetLastError.KERNEL32(?,006985CC,?,00728CC8,0000000C), ref: 0069870E
                                                                                        • __dosmaperr.LIBCMT ref: 00698739
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                                                        • String ID:
                                                                                        • API String ID: 2583163307-0
                                                                                        • Opcode ID: a08ed956922ff16a9008cb54cf0f6536958c982b553d8c65b632106d53d81175
                                                                                        • Instruction ID: 4f866c0aaf4d6e2f6a8cea48ec2cf93c6685910181b0b894dab29ca3afcc04ff
                                                                                        • Opcode Fuzzy Hash: a08ed956922ff16a9008cb54cf0f6536958c982b553d8c65b632106d53d81175
                                                                                        • Instruction Fuzzy Hash: B5016B336046201EDE616374A845BBE274F4B83774F39011DF8058FAD3EEA08C81C294
                                                                                        Function 00671310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 006717F6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer
                                                                                        • String ID: CALL
                                                                                        • API String ID: 1385522511-4196123274
                                                                                        • Opcode ID: af64d1cc685015f30cf879e6ab443c3c455fa72a387ae4f9dd6c7387b5c79e7e
                                                                                        • Instruction ID: f0a4a4f451f33681de10e7c8b9f273261dfc909bc5ae94b329cf9b0bfad75a59
                                                                                        • Opcode Fuzzy Hash: af64d1cc685015f30cf879e6ab443c3c455fa72a387ae4f9dd6c7387b5c79e7e
                                                                                        • Instruction Fuzzy Hash: BB22ADB0608301DFD754DF18C480A6ABBF2BF86314F24895EF49A8B362D735E985CB56
                                                                                        Function 00663837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00663908
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconNotifyShell_
                                                                                        • String ID:
                                                                                        • API String ID: 1144537725-0
                                                                                        • Opcode ID: 0d8b341128f9cd46386010d91f4a89aa7f8a129661d9062c56c91aab6c1f11b3
                                                                                        • Instruction ID: b349472b24ef43c3ddd603d303f32427b64ac8fb285fff2ff8138361fce7fc4b
                                                                                        • Opcode Fuzzy Hash: 0d8b341128f9cd46386010d91f4a89aa7f8a129661d9062c56c91aab6c1f11b3
                                                                                        • Instruction Fuzzy Hash: 2E31A2706047119FE760DF24D8847D7BBE9FB49719F00092EF59A83340E775AA44CB56
                                                                                        Function 00665745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0066949C,?,00008000), ref: 00665773
                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0066949C,?,00008000), ref: 006A4052
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: f170a809bf2317b89bea6265815f521eca1c0b36526dbcc704e1f211a567dc4d
                                                                                        • Instruction ID: 734b1d20a37f84d41082f696deb3512203e2d041f6a5db46e0045c68fd0d4877
                                                                                        • Opcode Fuzzy Hash: f170a809bf2317b89bea6265815f521eca1c0b36526dbcc704e1f211a567dc4d
                                                                                        • Instruction Fuzzy Hash: 21019230145325B6E3305A2ACC0FF977F9AEF027B0F108300BA9D6A1E0CBB46855CB90
                                                                                        Function 00CB3E15 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 00CB45D3
                                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CB4669
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CB468B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1383162824.0000000000CB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_cb2000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 2438371351-0
                                                                                        • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                                        • Instruction ID: 268610380f9926d586a46b275606e88cf7516da4b545088efdbfb47719a0799b
                                                                                        • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                                        • Instruction Fuzzy Hash: 8112DF24E18658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A
                                                                                        Function 006E709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString
                                                                                        • String ID:
                                                                                        • API String ID: 2948472770-0
                                                                                        • Opcode ID: 3fd8f5ee6fc9fae18a9d9eefc3a626cdc13e6c87868da14069190c4b950ae90c
                                                                                        • Instruction ID: 9a000dab8b814195af715f933c9d3f949f16e229902f0ba9b37ba3d6cc1b5f73
                                                                                        • Opcode Fuzzy Hash: 3fd8f5ee6fc9fae18a9d9eefc3a626cdc13e6c87868da14069190c4b950ae90c
                                                                                        • Instruction Fuzzy Hash: 71D16F34A05249EFCB14DF99C4819EDBBB6FF48314F14405AE915AB391EB30AD82CF95
                                                                                        Function 0067FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 544645111-0
                                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                        • Instruction ID: e571301cb95af9218c58aedaf14c568cf63397dd7f0bc81828855e2183c422b5
                                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                        • Instruction Fuzzy Hash: 0B31BD75A00109DBD729CF69D4809AAFBA6BF49310B24C6A5E809CB756D731ED81CB80
                                                                                        Function 00664ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00664E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00664EDD,?,00731418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00664E9C
                                                                                          • Part of subcall function 00664E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00664EAE
                                                                                          • Part of subcall function 00664E90: FreeLibrary.KERNEL32(00000000,?,?,00664EDD,?,00731418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00664EC0
                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00731418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00664EFD
                                                                                          • Part of subcall function 00664E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006A3CDE,?,00731418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00664E62
                                                                                          • Part of subcall function 00664E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00664E74
                                                                                          • Part of subcall function 00664E59: FreeLibrary.KERNEL32(00000000,?,?,006A3CDE,?,00731418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00664E87
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Load$AddressFreeProc
                                                                                        • String ID:
                                                                                        • API String ID: 2632591731-0
                                                                                        • Opcode ID: e6a4feed4f40b9e2c8289954cdacf4bb51a8575f1bf07857389bc40becc6374e
                                                                                        • Instruction ID: 5a1a0f78d884cc494b663a2509b47745740bcd18847b65a584eac74999f6b955
                                                                                        • Opcode Fuzzy Hash: e6a4feed4f40b9e2c8289954cdacf4bb51a8575f1bf07857389bc40becc6374e
                                                                                        • Instruction Fuzzy Hash: 0611E332600305AACB55BB60DC03FAD77A7AF80710F20842EF542A62C1EE729E05DB99
                                                                                        Function 00698402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wsopen_s
                                                                                        • String ID:
                                                                                        • API String ID: 3347428461-0
                                                                                        • Opcode ID: e3711c8ec66d5390f717a05e9f2c9748de35641d56d1997ddaf81f672b5c19dd
                                                                                        • Instruction ID: 060c14a8c2cb0d15bcbc763167af5d61108b3a924f171c0bc30ca9e2527d5ebc
                                                                                        • Opcode Fuzzy Hash: e3711c8ec66d5390f717a05e9f2c9748de35641d56d1997ddaf81f672b5c19dd
                                                                                        • Instruction Fuzzy Hash: 6111187590410AAFCF05DF58E9419DA7BF9EF49314F104069F808AB312DA31DA11CBA5
                                                                                        Function 00695000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00694C7D: RtlAllocateHeap.NTDLL(00000008,00661129,00000000,?,00692E29,00000001,00000364,?,?,?,0068F2DE,00693863,00731444,?,0067FDF5,?), ref: 00694CBE
                                                                                        • _free.LIBCMT ref: 0069506C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap_free
                                                                                        • String ID:
                                                                                        • API String ID: 614378929-0
                                                                                        • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                        • Instruction ID: 9a268ec9bf1b9f96ea805bc0ca945051544a09d79eb9a851e628edeb39c2e039
                                                                                        • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                        • Instruction Fuzzy Hash: 98014E722047056BEB32CF55D841D9AFBEEFB85370F25061DE185836C0EA306806C7B4
                                                                                        Function 0068E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                        • Instruction ID: 544a59661004f187b5bd656e2df84c105c91dc8e240eaa124bf474dd32278725
                                                                                        • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                        • Instruction Fuzzy Hash: 86F02832510A14AADF313A698C05B9A339F9F62331F14071DF524976E2EF75D84287AD
                                                                                        Function 00669CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 176396367-0
                                                                                        • Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                                                                        • Instruction ID: f694fa14b6862ae7045994ead00968d6e1723bf8551f13c5899a2698d9632680
                                                                                        • Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                                                                        • Instruction Fuzzy Hash: F1F0A4B26006017ED7649F28D806EA7BB99EF44760F10862EFA19CB2D1DB71E5148BA4
                                                                                        Function 00694C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00661129,00000000,?,00692E29,00000001,00000364,?,?,?,0068F2DE,00693863,00731444,?,0067FDF5,?), ref: 00694CBE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: 5a62b5d7ba8b8ecc11906fded6cd1e26fd9183171fec4c73aa9ea132ffb6a53a
                                                                                        • Instruction ID: e504a185331ac4d4aba292e9bd9ddacc1137cd73a6fd4b9a4d6199595d7add7a
                                                                                        • Opcode Fuzzy Hash: 5a62b5d7ba8b8ecc11906fded6cd1e26fd9183171fec4c73aa9ea132ffb6a53a
                                                                                        • Instruction Fuzzy Hash: 2CF0B431602224EEDF216F629C09F9A378FBF417B1B144216B815A6A80CE30D80386A4
                                                                                        Function 00693820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,00731444,?,0067FDF5,?,?,0066A976,00000010,00731440,006613FC,?,006613C6,?,00661129), ref: 00693852
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: 3558f1a1a8c93931f7e73a6bdf3a7dd81d19b5a948856e231b5348b1314a3293
                                                                                        • Instruction ID: 36e144c3b1428f264f8fc5472b7d3db4396cec42280aa4f1ecd022fc7f3779b6
                                                                                        • Opcode Fuzzy Hash: 3558f1a1a8c93931f7e73a6bdf3a7dd81d19b5a948856e231b5348b1314a3293
                                                                                        • Instruction Fuzzy Hash: 04E0E53110023556EF2136679E04BDA374FAF427B0F050125BC06E2F80CB10DE0193E5
                                                                                        Function 00664F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNEL32(?,?,00731418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00664F6D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID:
                                                                                        • API String ID: 3664257935-0
                                                                                        • Opcode ID: f64d59702c0bcc4614d1abf386ea98445ccaabd6f0278be90349792b9da2b261
                                                                                        • Instruction ID: 6bf0fdb4497685b8881cd3573697a6ee0c03956a346dcea5f71eabc02d9786f1
                                                                                        • Opcode Fuzzy Hash: f64d59702c0bcc4614d1abf386ea98445ccaabd6f0278be90349792b9da2b261
                                                                                        • Instruction Fuzzy Hash: 10F03071105751CFDB389F64D490862B7F6AF54329310CA7EE1DA82611CB319844DF10
                                                                                        Function 006CCCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,006AEE51,00723630,00000002), ref: 006CCD26
                                                                                          • Part of subcall function 006CCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,006CCD19,?,?,?), ref: 006CCC59
                                                                                          • Part of subcall function 006CCC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,006CCD19,?,?,?,?,006AEE51,00723630,00000002), ref: 006CCC6E
                                                                                          • Part of subcall function 006CCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,006CCD19,?,?,?,?,006AEE51,00723630,00000002), ref: 006CCC7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Pointer$Write
                                                                                        • String ID:
                                                                                        • API String ID: 3847668363-0
                                                                                        • Opcode ID: bb6e7431f7e62c300a2ef792ac805b67c53f7e73b26a05fb335ac6309489bbec
                                                                                        • Instruction ID: 458b8febb8c0b87022204d1238ba950ca08b017b0a52df363b1d255eb9a82ad3
                                                                                        • Opcode Fuzzy Hash: bb6e7431f7e62c300a2ef792ac805b67c53f7e73b26a05fb335ac6309489bbec
                                                                                        • Instruction Fuzzy Hash: 51E06576400704EFC7219F4ADD00CEABBF9FF84360710852FE956C2510D371AA14DB60
                                                                                        Function 00662DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00662DC4
                                                                                          • Part of subcall function 00666B57: _wcslen.LIBCMT ref: 00666B6A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongNamePath_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 541455249-0
                                                                                        • Opcode ID: b1dbbe65eb1fca919893b0d3fb75c0b42129c8cc1f878ee03b647356a1970524
                                                                                        • Instruction ID: 7cf342cbf9ccf1d4a38bf5faaa442f188d7bfddff642983050ca8127fc22b4db
                                                                                        • Opcode Fuzzy Hash: b1dbbe65eb1fca919893b0d3fb75c0b42129c8cc1f878ee03b647356a1970524
                                                                                        • Instruction Fuzzy Hash: E7E0CD766001245BC710A658DC05FEA77DEDFC97A0F044075FD09D7248D960AD80C554
                                                                                        Function 00662B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00663837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00663908
                                                                                          • Part of subcall function 0066D730: GetInputState.USER32 ref: 0066D807
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00662B6B
                                                                                          • Part of subcall function 006630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0066314E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                        • String ID:
                                                                                        • API String ID: 3667716007-0
                                                                                        • Opcode ID: d1405f5f2a4267574afebf5764358c13ffebd3bc3e04fdf09fcf5bccfc614799
                                                                                        • Instruction ID: 4041ec982fbdd795b13b1af164698683ce7e998ed5cbf00b6cde7c83f0728c52
                                                                                        • Opcode Fuzzy Hash: d1405f5f2a4267574afebf5764358c13ffebd3bc3e04fdf09fcf5bccfc614799
                                                                                        • Instruction Fuzzy Hash: A3E07D3230029407C748BB71A8124BDF74BCFD1351F40183EF442433A3CF244949831A
                                                                                        Function 006A039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(00000000,00000000,?,006A0704,?,?,00000000,?,006A0704,00000000,0000000C), ref: 006A03B7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: 8e4ea0ffbab75b8d99cb5df2331074d699a9b5c286d99fcf9a75525f32cfa869
                                                                                        • Instruction ID: c3ca7a27991fcd4e5e883f5aadc43678b5e31bd14cfb2b45db60cec9f6529908
                                                                                        • Opcode Fuzzy Hash: 8e4ea0ffbab75b8d99cb5df2331074d699a9b5c286d99fcf9a75525f32cfa869
                                                                                        • Instruction Fuzzy Hash: 29D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E831EB90
                                                                                        Function 00661CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00661CBC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoParametersSystem
                                                                                        • String ID:
                                                                                        • API String ID: 3098949447-0
                                                                                        • Opcode ID: cf5d33ae684ab53c3892f3b8ed55f732047975b0f85b08708a7dcdfd3f7e9386
                                                                                        • Instruction ID: e5fceb14db8d24c2b88cd2133a5e7dc1edef07614509a544c2d793212c011f91
                                                                                        • Opcode Fuzzy Hash: cf5d33ae684ab53c3892f3b8ed55f732047975b0f85b08708a7dcdfd3f7e9386
                                                                                        • Instruction Fuzzy Hash: 23C09236280308AFF3148B80BD5AF207B65A348B12F54C001F609AA5E3C3A62834EA58
                                                                                        Function 006D744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00665745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0066949C,?,00008000), ref: 00665773
                                                                                        • GetLastError.KERNEL32(00000002,00000000), ref: 006D76DE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLast
                                                                                        • String ID:
                                                                                        • API String ID: 1214770103-0
                                                                                        • Opcode ID: 44c1f13b0bed9020edee42cbdd3ab0f12d50cb6153e92c976472b946581832a4
                                                                                        • Instruction ID: ac4e4c15f5f4d12dcbb1e028d552a60316c22df87537061bc9c20e99df63be90
                                                                                        • Opcode Fuzzy Hash: 44c1f13b0bed9020edee42cbdd3ab0f12d50cb6153e92c976472b946581832a4
                                                                                        • Instruction Fuzzy Hash: BB81B1306087019FC754EF28C491BA9B7E6BF89314F04495EF8865B3A2EB34ED45CB96
                                                                                        Function 00666246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CloseHandle.KERNELBASE(?,?,00000000,006A24E0), ref: 00666266
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandle
                                                                                        • String ID:
                                                                                        • API String ID: 2962429428-0
                                                                                        • Opcode ID: dee90077b2d1b0771e55dba2ab0496c9de7598eabe49b27bf9afb5d2f9682368
                                                                                        • Instruction ID: bb3a2a383cdbee612766fbdd880f55ebc1afdccccc20dcb4c8b973f967ed2723
                                                                                        • Opcode Fuzzy Hash: dee90077b2d1b0771e55dba2ab0496c9de7598eabe49b27bf9afb5d2f9682368
                                                                                        • Instruction Fuzzy Hash: F1E0B675400B01CFC3314F1AE814452FBFAFFE13613214A2EE0E592664D3B05986DF90
                                                                                        Function 00CB4E18 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000001F4), ref: 00CB4E29
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1383162824.0000000000CB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_cb2000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID:
                                                                                        • API String ID: 3472027048-0
                                                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                        • Instruction ID: cc04f0b4e83d1e6a8193ae863950bf913f986aa314dafbc322e129f46e648707
                                                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                        • Instruction Fuzzy Hash: BCE0BF7494410D9FDB00DFA4D54969E7BB4EF04301F100161FD0192280D6309D508A62

                                                                                        Non-executed Functions

                                                                                        Function 006F9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00679BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00679BB2
                                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006F961A
                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006F965B
                                                                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006F969F
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006F96C9
                                                                                        • SendMessageW.USER32 ref: 006F96F2
                                                                                        • GetKeyState.USER32(00000011), ref: 006F978B
                                                                                        • GetKeyState.USER32(00000009), ref: 006F9798
                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006F97AE
                                                                                        • GetKeyState.USER32(00000010), ref: 006F97B8
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006F97E9
                                                                                        • SendMessageW.USER32 ref: 006F9810
                                                                                        • SendMessageW.USER32(?,00001030,?,006F7E95), ref: 006F9918
                                                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006F992E
                                                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006F9941
                                                                                        • SetCapture.USER32(?), ref: 006F994A
                                                                                        • ClientToScreen.USER32(?,?), ref: 006F99AF
                                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006F99BC
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006F99D6
                                                                                        • ReleaseCapture.USER32 ref: 006F99E1
                                                                                        • GetCursorPos.USER32(?), ref: 006F9A19
                                                                                        • ScreenToClient.USER32(?,?), ref: 006F9A26
                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 006F9A80
                                                                                        • SendMessageW.USER32 ref: 006F9AAE
                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 006F9AEB
                                                                                        • SendMessageW.USER32 ref: 006F9B1A
                                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006F9B3B
                                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 006F9B4A
                                                                                        • GetCursorPos.USER32(?), ref: 006F9B68
                                                                                        • ScreenToClient.USER32(?,?), ref: 006F9B75
                                                                                        • GetParent.USER32(?), ref: 006F9B93
                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 006F9BFA
                                                                                        • SendMessageW.USER32 ref: 006F9C2B
                                                                                        • ClientToScreen.USER32(?,?), ref: 006F9C84
                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006F9CB4
                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 006F9CDE
                                                                                        • SendMessageW.USER32 ref: 006F9D01
                                                                                        • ClientToScreen.USER32(?,?), ref: 006F9D4E
                                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006F9D82
                                                                                          • Part of subcall function 00679944: GetWindowLongW.USER32(?,000000EB), ref: 00679952
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 006F9E05
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                        • String ID: @GUI_DRAGID$F$p#s
                                                                                        • API String ID: 3429851547-570795275
                                                                                        • Opcode ID: aeafd0180151bc229b9e7b5b1390a6088dc400fa653ca2c6a3080bcabb9effda
                                                                                        • Instruction ID: 976f2759fcc1178c42cfbcc812a3bef1d014b826d1c505e3b0af111615bab408
                                                                                        • Opcode Fuzzy Hash: aeafd0180151bc229b9e7b5b1390a6088dc400fa653ca2c6a3080bcabb9effda
                                                                                        • Instruction Fuzzy Hash: 42428B30208248AFE724DF28CD44BBABBE6FF49720F144619F699C72A1D731A855CF65
                                                                                        Function 006F4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006F48F3
                                                                                        • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 006F4908
                                                                                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 006F4927
                                                                                        • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 006F494B
                                                                                        • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 006F495C
                                                                                        • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 006F497B
                                                                                        • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006F49AE
                                                                                        • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006F49D4
                                                                                        • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 006F4A0F
                                                                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 006F4A56
                                                                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 006F4A7E
                                                                                        • IsMenu.USER32(?), ref: 006F4A97
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006F4AF2
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006F4B20
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 006F4B94
                                                                                        • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 006F4BE3
                                                                                        • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 006F4C82
                                                                                        • wsprintfW.USER32 ref: 006F4CAE
                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006F4CC9
                                                                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 006F4CF1
                                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006F4D13
                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006F4D33
                                                                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 006F4D5A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                        • String ID: %d/%02d/%02d
                                                                                        • API String ID: 4054740463-328681919
                                                                                        • Opcode ID: 79c6ac61a0da779e03d872e8dca8043c668c7e34ad8eb0871e4676f9779431a5
                                                                                        • Instruction ID: 68b6de7a54d7e09c3795565d2566f38c69223747fe709044ab607c5eda444817
                                                                                        • Opcode Fuzzy Hash: 79c6ac61a0da779e03d872e8dca8043c668c7e34ad8eb0871e4676f9779431a5
                                                                                        • Instruction Fuzzy Hash: 2312DF71604218ABEB248F28CC49FBF7BFAAF85310F104119FA1ADA6A5DB749941CB50
                                                                                        Function 0067F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0067F998
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006BF474
                                                                                        • IsIconic.USER32(00000000), ref: 006BF47D
                                                                                        • ShowWindow.USER32(00000000,00000009), ref: 006BF48A
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 006BF494
                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006BF4AA
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 006BF4B1
                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006BF4BD
                                                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 006BF4CE
                                                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 006BF4D6
                                                                                        • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 006BF4DE
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 006BF4E1
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 006BF4F6
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 006BF501
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 006BF50B
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 006BF510
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 006BF519
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 006BF51E
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 006BF528
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 006BF52D
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 006BF530
                                                                                        • AttachThreadInput.USER32(?,000000FF,00000000), ref: 006BF557
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 4125248594-2988720461
                                                                                        • Opcode ID: a472127954f07b94e6ef8dd5d420f9df3c1301bd45000d920bfeaa4130e108c1
                                                                                        • Instruction ID: a2254b9c277056553e7a476b0708ccfceda9340379439b35be540433de3bfa92
                                                                                        • Opcode Fuzzy Hash: a472127954f07b94e6ef8dd5d420f9df3c1301bd45000d920bfeaa4130e108c1
                                                                                        • Instruction Fuzzy Hash: E43141B2A4021CBBEB206BB55D4AFFF7E6EEB44B60F101065FA01E61D1C6B15D50EB60
                                                                                        Function 006C1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006C170D
                                                                                          • Part of subcall function 006C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006C173A
                                                                                          • Part of subcall function 006C16C3: GetLastError.KERNEL32 ref: 006C174A
                                                                                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 006C1286
                                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006C12A8
                                                                                        • CloseHandle.KERNEL32(?), ref: 006C12B9
                                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006C12D1
                                                                                        • GetProcessWindowStation.USER32 ref: 006C12EA
                                                                                        • SetProcessWindowStation.USER32(00000000), ref: 006C12F4
                                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006C1310
                                                                                          • Part of subcall function 006C10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006C11FC), ref: 006C10D4
                                                                                          • Part of subcall function 006C10BF: CloseHandle.KERNEL32(?,?,006C11FC), ref: 006C10E9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                        • String ID: $default$winsta0$Zr
                                                                                        • API String ID: 22674027-1304496012
                                                                                        • Opcode ID: 58b2ead5a9f6d9064c4cc9baa76f43ebb27bc62428d12bd1c8835cdc0c9c8bc0
                                                                                        • Instruction ID: e974a7e668817f8550234e86b443e9e90eff730ed0f6ecce62902a22206d6819
                                                                                        • Opcode Fuzzy Hash: 58b2ead5a9f6d9064c4cc9baa76f43ebb27bc62428d12bd1c8835cdc0c9c8bc0
                                                                                        • Instruction Fuzzy Hash: 67818871900209ABDF259FA4DD49FFE7BBAEF06704F14816DF910AA2A2D7358944CB60
                                                                                        Function 006C0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006C1114
                                                                                          • Part of subcall function 006C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,006C0B9B,?,?,?), ref: 006C1120
                                                                                          • Part of subcall function 006C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006C0B9B,?,?,?), ref: 006C112F
                                                                                          • Part of subcall function 006C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006C0B9B,?,?,?), ref: 006C1136
                                                                                          • Part of subcall function 006C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006C114D
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006C0BCC
                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006C0C00
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 006C0C17
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 006C0C51
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006C0C6D
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 006C0C84
                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 006C0C8C
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 006C0C93
                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006C0CB4
                                                                                        • CopySid.ADVAPI32(00000000), ref: 006C0CBB
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006C0CEA
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006C0D0C
                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006C0D1E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006C0D45
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C0D4C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006C0D55
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C0D5C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006C0D65
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C0D6C
                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 006C0D78
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C0D7F
                                                                                          • Part of subcall function 006C1193: GetProcessHeap.KERNEL32(00000008,006C0BB1,?,00000000,?,006C0BB1,?), ref: 006C11A1
                                                                                          • Part of subcall function 006C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,006C0BB1,?), ref: 006C11A8
                                                                                          • Part of subcall function 006C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006C0BB1,?), ref: 006C11B7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                        • String ID:
                                                                                        • API String ID: 4175595110-0
                                                                                        • Opcode ID: c47f94fe51f13fa34a8be9bce5c61ef5dafe42b3f31b867101b764084e9420ae
                                                                                        • Instruction ID: 559b921c44de0c30dbb16f9f05754a23add4f6a48a01ded66c7057af8ed14553
                                                                                        • Opcode Fuzzy Hash: c47f94fe51f13fa34a8be9bce5c61ef5dafe42b3f31b867101b764084e9420ae
                                                                                        • Instruction Fuzzy Hash: F9714A7190020AEBEF10DFA4DD44FFEBBBAEF09710F044619E915A7291D771A905CB60
                                                                                        Function 006DEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenClipboard.USER32(006FCC08), ref: 006DEB29
                                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 006DEB37
                                                                                        • GetClipboardData.USER32(0000000D), ref: 006DEB43
                                                                                        • CloseClipboard.USER32 ref: 006DEB4F
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 006DEB87
                                                                                        • CloseClipboard.USER32 ref: 006DEB91
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 006DEBBC
                                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 006DEBC9
                                                                                        • GetClipboardData.USER32(00000001), ref: 006DEBD1
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 006DEBE2
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 006DEC22
                                                                                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 006DEC38
                                                                                        • GetClipboardData.USER32(0000000F), ref: 006DEC44
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 006DEC55
                                                                                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 006DEC77
                                                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006DEC94
                                                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006DECD2
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 006DECF3
                                                                                        • CountClipboardFormats.USER32 ref: 006DED14
                                                                                        • CloseClipboard.USER32 ref: 006DED59
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                        • String ID:
                                                                                        • API String ID: 420908878-0
                                                                                        • Opcode ID: da1f5d0b9d0a141c014a0723d43e1070f99d8e22df354c86231c7ddf2a41ccc8
                                                                                        • Instruction ID: 34ace6cbdcaed9d5e4b07a47efbdc293a3e2fb77be02185fed55effccbb78cc1
                                                                                        • Opcode Fuzzy Hash: da1f5d0b9d0a141c014a0723d43e1070f99d8e22df354c86231c7ddf2a41ccc8
                                                                                        • Instruction Fuzzy Hash: 9061AD34604205AFD300EF24D984F7A77ABEF84714F14551EF4569B3A2DB32E90ACBA2
                                                                                        Function 006D698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 006D69BE
                                                                                        • FindClose.KERNEL32(00000000), ref: 006D6A12
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006D6A4E
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006D6A75
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 006D6AB2
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 006D6ADF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                        • API String ID: 3830820486-3289030164
                                                                                        • Opcode ID: 8ec31564702f3d51a8d5ada77a4e83a71f252982f938cd51ae78ac30255b7c69
                                                                                        • Instruction ID: 238a255a3585f8267d8c8080678405cb8954a75965a9bf87c3d27689ee15f2e9
                                                                                        • Opcode Fuzzy Hash: 8ec31564702f3d51a8d5ada77a4e83a71f252982f938cd51ae78ac30255b7c69
                                                                                        • Instruction Fuzzy Hash: 32D161B1508340AFC354EBA4D981EABB7EDAF88704F04491EF585C7291EB75DA44CB62
                                                                                        Function 006D9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 006D9663
                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 006D96A1
                                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 006D96BB
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 006D96D3
                                                                                        • FindClose.KERNEL32(00000000), ref: 006D96DE
                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 006D96FA
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 006D974A
                                                                                        • SetCurrentDirectoryW.KERNEL32(00726B7C), ref: 006D9768
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 006D9772
                                                                                        • FindClose.KERNEL32(00000000), ref: 006D977F
                                                                                        • FindClose.KERNEL32(00000000), ref: 006D978F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1409584000-438819550
                                                                                        • Opcode ID: b18e938ec740818c3799e24fc99986bdbdc50d64dc1b976bd7dceb617a112845
                                                                                        • Instruction ID: 14c0c853ea115cfa8f444b73321cbb42d46c3bcdaad62403daaf396361856b2d
                                                                                        • Opcode Fuzzy Hash: b18e938ec740818c3799e24fc99986bdbdc50d64dc1b976bd7dceb617a112845
                                                                                        • Instruction Fuzzy Hash: 8E31C07294021D6EDF14AFB4ED18AEE77AEEF09320F104156F805E22A0DB34DA44CB64
                                                                                        Function 006D979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 006D97BE
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 006D9819
                                                                                        • FindClose.KERNEL32(00000000), ref: 006D9824
                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 006D9840
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 006D9890
                                                                                        • SetCurrentDirectoryW.KERNEL32(00726B7C), ref: 006D98AE
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 006D98B8
                                                                                        • FindClose.KERNEL32(00000000), ref: 006D98C5
                                                                                        • FindClose.KERNEL32(00000000), ref: 006D98D5
                                                                                          • Part of subcall function 006CDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006CDB00
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                        • String ID: *.*
                                                                                        • API String ID: 2640511053-438819550
                                                                                        • Opcode ID: 036d5560018b7b66e2a60e7fdc5c67c0cd35a3aa28a6ee0e93a7f62c1cd1d979
                                                                                        • Instruction ID: 0dc3a58013cf78585a88efedc1e06b7ab84e8b923775f82f5595606452f46e9d
                                                                                        • Opcode Fuzzy Hash: 036d5560018b7b66e2a60e7fdc5c67c0cd35a3aa28a6ee0e93a7f62c1cd1d979
                                                                                        • Instruction Fuzzy Hash: 1331C37294021D6EDF10AFB4EC48AEE77AEEF06720F144557E810A22A0DB30DA45DB64
                                                                                        Function 006D8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 006D8257
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 006D8267
                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006D8273
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006D8310
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 006D8324
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 006D8356
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006D838C
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 006D8395
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectoryTime$File$Local$System
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1464919966-438819550
                                                                                        • Opcode ID: e6487197de19635530c12f21c4425f021e6e03ec6b436839ac40a1156bb41716
                                                                                        • Instruction ID: e383e734aa487776cd5f162a3377ef8818e3f4d8676a6810efff26e6c2ea4137
                                                                                        • Opcode Fuzzy Hash: e6487197de19635530c12f21c4425f021e6e03ec6b436839ac40a1156bb41716
                                                                                        • Instruction Fuzzy Hash: 846159725043459FCB10EF64C8449AEB3EAFF89324F04491EF989C7251EB31E945CB96
                                                                                        Function 006CD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00663AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00663A97,?,?,00662E7F,?,?,?,00000000), ref: 00663AC2
                                                                                          • Part of subcall function 006CE199: GetFileAttributesW.KERNEL32(?,006CCF95), ref: 006CE19A
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 006CD122
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 006CD1DD
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 006CD1F0
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 006CD20D
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 006CD237
                                                                                          • Part of subcall function 006CD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,006CD21C,?,?), ref: 006CD2B2
                                                                                        • FindClose.KERNEL32(00000000,?,?,?), ref: 006CD253
                                                                                        • FindClose.KERNEL32(00000000), ref: 006CD264
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 1946585618-1173974218
                                                                                        • Opcode ID: 791ee360c253147124c98ae704c7162689a3ed053ad20cc58fc993fac04f8aa2
                                                                                        • Instruction ID: 4e04c89366276f4b8571b7873e3f1f78d1f8fbe104ce2998ab62445aa791e58e
                                                                                        • Opcode Fuzzy Hash: 791ee360c253147124c98ae704c7162689a3ed053ad20cc58fc993fac04f8aa2
                                                                                        • Instruction Fuzzy Hash: C861263180111DAACF45EBA0DA92EFDB7BAEF15300F24416DE40277291EB35AF09DB64
                                                                                        Function 006DED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1737998785-0
                                                                                        • Opcode ID: 4a3f058764883e18d56d3b444cc41c80c4e85f386ddaee0c35c4a0726bab164d
                                                                                        • Instruction ID: 701f5b35e24d616708bc862a86ad4949a92dfdb529f17f2c9363d0e1284e15c5
                                                                                        • Opcode Fuzzy Hash: 4a3f058764883e18d56d3b444cc41c80c4e85f386ddaee0c35c4a0726bab164d
                                                                                        • Instruction Fuzzy Hash: 1F418C35604611AFE720EF15D888F69BBE2EF44328F14C09AE4558F762CB76ED42CB90
                                                                                        Function 006CE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006C170D
                                                                                          • Part of subcall function 006C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006C173A
                                                                                          • Part of subcall function 006C16C3: GetLastError.KERNEL32 ref: 006C174A
                                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 006CE932
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                        • String ID: $ $@$SeShutdownPrivilege
                                                                                        • API String ID: 2234035333-3163812486
                                                                                        • Opcode ID: fbbf3bf5ed78c07e6e25fc1f91db2acc71c54023694dfb06c65983f73b024671
                                                                                        • Instruction ID: 41d381a3733bb0673c003d50404cb2205ef9499db829543358a52b961adac70a
                                                                                        • Opcode Fuzzy Hash: fbbf3bf5ed78c07e6e25fc1f91db2acc71c54023694dfb06c65983f73b024671
                                                                                        • Instruction Fuzzy Hash: AC012672610214ABEB9422B49C8AFFF727EE715751F14052EF802E31D2D9B25C4082A4
                                                                                        Function 006E1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006E1276
                                                                                        • WSAGetLastError.WSOCK32 ref: 006E1283
                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 006E12BA
                                                                                        • WSAGetLastError.WSOCK32 ref: 006E12C5
                                                                                        • closesocket.WSOCK32(00000000), ref: 006E12F4
                                                                                        • listen.WSOCK32(00000000,00000005), ref: 006E1303
                                                                                        • WSAGetLastError.WSOCK32 ref: 006E130D
                                                                                        • closesocket.WSOCK32(00000000), ref: 006E133C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                        • String ID:
                                                                                        • API String ID: 540024437-0
                                                                                        • Opcode ID: c009b684fcf188cc97a9a705c0d4885f2eff9bbf03e10e186e5b75aa646b3f46
                                                                                        • Instruction ID: 206d3ba926d327e3d86d66059caa1d4f638873078526cbb795c4a6b6fc8899c4
                                                                                        • Opcode Fuzzy Hash: c009b684fcf188cc97a9a705c0d4885f2eff9bbf03e10e186e5b75aa646b3f46
                                                                                        • Instruction Fuzzy Hash: F341A3316002409FD710DF65C998B69BBE7BF46328F188188D9568F396C771ED82CBE1
                                                                                        Function 0069B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 0069B9D4
                                                                                        • _free.LIBCMT ref: 0069B9F8
                                                                                        • _free.LIBCMT ref: 0069BB7F
                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00703700), ref: 0069BB91
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0073121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0069BC09
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00731270,000000FF,?,0000003F,00000000,?), ref: 0069BC36
                                                                                        • _free.LIBCMT ref: 0069BD4B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                        • String ID:
                                                                                        • API String ID: 314583886-0
                                                                                        • Opcode ID: e5f932fc9e1d19e17ccd60d7c2abf4b25617f53bed6e5d2075519aa84fa9a75e
                                                                                        • Instruction ID: e58e77a41175d49f2b256590a67cda3b10f03f166ecb12ce07a5d171b441c2fa
                                                                                        • Opcode Fuzzy Hash: e5f932fc9e1d19e17ccd60d7c2abf4b25617f53bed6e5d2075519aa84fa9a75e
                                                                                        • Instruction Fuzzy Hash: C3C11671A04209AFDF20DF69AE51BEA7BAFEF41310F18619EE494D7791EB308E018754
                                                                                        Function 006CD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00663AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00663A97,?,?,00662E7F,?,?,?,00000000), ref: 00663AC2
                                                                                          • Part of subcall function 006CE199: GetFileAttributesW.KERNEL32(?,006CCF95), ref: 006CE19A
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 006CD420
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 006CD470
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 006CD481
                                                                                        • FindClose.KERNEL32(00000000), ref: 006CD498
                                                                                        • FindClose.KERNEL32(00000000), ref: 006CD4A1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 2649000838-1173974218
                                                                                        • Opcode ID: ed38b5ab9fb516195bc00b6b472d0c1c3e0ca838210d1680565309b0c4effee0
                                                                                        • Instruction ID: 20d4b157712c50c418dd72b267fff319ad9affe47ca7f87e7c9f0b962591355b
                                                                                        • Opcode Fuzzy Hash: ed38b5ab9fb516195bc00b6b472d0c1c3e0ca838210d1680565309b0c4effee0
                                                                                        • Instruction Fuzzy Hash: 0A319E31008345ABC304EF64D9919BFB7EAEE91310F449A2DF4D593291EB30AA09CB67
                                                                                        Function 0069E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: __floor_pentium4
                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                        • API String ID: 4168288129-2761157908
                                                                                        • Opcode ID: d2134331e65f6b7a1c41791fa1fed715f550116950f5450a364724981a985cf3
                                                                                        • Instruction ID: 1a4bf757c76e475187142a4ae0091a780d5a9a86fd4832c9b7b9c508d964dc7d
                                                                                        • Opcode Fuzzy Hash: d2134331e65f6b7a1c41791fa1fed715f550116950f5450a364724981a985cf3
                                                                                        • Instruction Fuzzy Hash: 1DC24971E086288FDF65CF289D407EAB7BAEB48314F1541EAD44DE7640E779AE818F40
                                                                                        Function 006D648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 006D64DC
                                                                                        • CoInitialize.OLE32(00000000), ref: 006D6639
                                                                                        • CoCreateInstance.OLE32(006FFCF8,00000000,00000001,006FFB68,?), ref: 006D6650
                                                                                        • CoUninitialize.OLE32 ref: 006D68D4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                        • String ID: .lnk
                                                                                        • API String ID: 886957087-24824748
                                                                                        • Opcode ID: 860abef762fdf1455fe4ef80d7e3654c702b2ee8f36130aa61f13b8844d9d792
                                                                                        • Instruction ID: 7b820bcfb58f8572b8cd4546946005ff5e4e2612baf1d9007dbf3d2deff1fa6c
                                                                                        • Opcode Fuzzy Hash: 860abef762fdf1455fe4ef80d7e3654c702b2ee8f36130aa61f13b8844d9d792
                                                                                        • Instruction Fuzzy Hash: 1BD14A71508341AFC344EF24C88196BB7EAFF98704F00496DF5958B2A1DB71ED45CBA2
                                                                                        Function 006E22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 006E22E8
                                                                                          • Part of subcall function 006DE4EC: GetWindowRect.USER32(?,?), ref: 006DE504
                                                                                        • GetDesktopWindow.USER32 ref: 006E2312
                                                                                        • GetWindowRect.USER32(00000000), ref: 006E2319
                                                                                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 006E2355
                                                                                        • GetCursorPos.USER32(?), ref: 006E2381
                                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006E23DF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                        • String ID:
                                                                                        • API String ID: 2387181109-0
                                                                                        • Opcode ID: db5bab38f5d13b692fae099af44b26e638cc80082131b9e5635c474315b9541b
                                                                                        • Instruction ID: 06b85c400ee5331e72ffbc0ca069b2e846912220946e807b6a284e1ecbc0a9d4
                                                                                        • Opcode Fuzzy Hash: db5bab38f5d13b692fae099af44b26e638cc80082131b9e5635c474315b9541b
                                                                                        • Instruction Fuzzy Hash: 7331BE72505356ABC720DF15C845BABB7ABFB84310F00191DF98597281DA35E908CB92
                                                                                        Function 006D9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 006D9B78
                                                                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 006D9C8B
                                                                                          • Part of subcall function 006D3874: GetInputState.USER32 ref: 006D38CB
                                                                                          • Part of subcall function 006D3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006D3966
                                                                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 006D9BA8
                                                                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 006D9C75
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1972594611-438819550
                                                                                        • Opcode ID: c3afede84d38758ed807e64e6034c543321400ee8ea12db31f35c1be6e0f5a00
                                                                                        • Instruction ID: ca0f0c90b92500ddc89da94f3dac51a9c5ea2e9660553553aecd03287cd72221
                                                                                        • Opcode Fuzzy Hash: c3afede84d38758ed807e64e6034c543321400ee8ea12db31f35c1be6e0f5a00
                                                                                        • Instruction Fuzzy Hash: 65417371D0421AAFCF54DFA4C995AEE7BBAEF05310F24415AE805A33A1EB309E44CF64
                                                                                        Function 00668060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ERCP$InitializeCriticalSectionEx$VUUU$VUUU$VUUU$VUUU
                                                                                        • API String ID: 0-1173862840
                                                                                        • Opcode ID: 2df68ad11c3716787259b2909f8c4424ea41bc37dfbc4fca90d3b0dd3c8a39e4
                                                                                        • Instruction ID: 52d6e030c64109d45743bc02e71677cb92d72b1843e37d543f5a6db8a93aecee
                                                                                        • Opcode Fuzzy Hash: 2df68ad11c3716787259b2909f8c4424ea41bc37dfbc4fca90d3b0dd3c8a39e4
                                                                                        • Instruction Fuzzy Hash: 6EA25D70A0061ACFDF24DF68C9507EDB7B2BB55314F2482AAE816A7385DB709D81CF90
                                                                                        Function 0067997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00679BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00679BB2
                                                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00679A4E
                                                                                        • GetSysColor.USER32(0000000F), ref: 00679B23
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00679B36
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$LongProcWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3131106179-0
                                                                                        • Opcode ID: ba43cdf3be01f36bf3ff65efd7b5937c484fbee32e2dfd3f259d587866ada94d
                                                                                        • Instruction ID: bed47701d1ea528ad641e808716ca5f7e7758029b004d60b646d7b6a1c164ebd
                                                                                        • Opcode Fuzzy Hash: ba43cdf3be01f36bf3ff65efd7b5937c484fbee32e2dfd3f259d587866ada94d
                                                                                        • Instruction Fuzzy Hash: 0EA109B0109444AEE728AA3C8C59EFB27DFDB82350F25C11DF506C6795CA259D82D37A
                                                                                        Function 006E1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006E307A
                                                                                          • Part of subcall function 006E304E: _wcslen.LIBCMT ref: 006E309B
                                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006E185D
                                                                                        • WSAGetLastError.WSOCK32 ref: 006E1884
                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 006E18DB
                                                                                        • WSAGetLastError.WSOCK32 ref: 006E18E6
                                                                                        • closesocket.WSOCK32(00000000), ref: 006E1915
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1601658205-0
                                                                                        • Opcode ID: 584f4f0260dbd40e01786c59b99448ae0cfd0fa049c8d6c9d41bb38d1879fa7c
                                                                                        • Instruction ID: 0b1bd84e5e80960e23a3fcd773d8be968f47888a12692d97aad848d72c2f2418
                                                                                        • Opcode Fuzzy Hash: 584f4f0260dbd40e01786c59b99448ae0cfd0fa049c8d6c9d41bb38d1879fa7c
                                                                                        • Instruction Fuzzy Hash: EE51A371A002109FE710AF24C896F6A77E6AB45718F18809CF95A9F3D3C771AD41CBA5
                                                                                        Function 006F1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                        • String ID:
                                                                                        • API String ID: 292994002-0
                                                                                        • Opcode ID: 5b4b34ad8454028925ee79adf6af31bd8a8728d40ac7d03b8624a87eac925d5d
                                                                                        • Instruction ID: 0d6abd271febc11ff88c851f4d336da7edabb0951a052a8fad4ed76887585b3f
                                                                                        • Opcode Fuzzy Hash: 5b4b34ad8454028925ee79adf6af31bd8a8728d40ac7d03b8624a87eac925d5d
                                                                                        • Instruction Fuzzy Hash: 8821B1317402099FD7208F1AC854B7A7BA7AF86364B18805CE946CF351C775EC42CB94
                                                                                        Function 006C8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 006C82AA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen
                                                                                        • String ID: ($tbr$|
                                                                                        • API String ID: 1659193697-2672883373
                                                                                        • Opcode ID: 88a9cf9fb8b4bca2925e9b8f70084c50787ac0d7df48d622f1a16e4044b06c6b
                                                                                        • Instruction ID: 28a24e6a0670a4102f42e0be5a4a006485994fe5e877d70c6f89c7751f75bca0
                                                                                        • Opcode Fuzzy Hash: 88a9cf9fb8b4bca2925e9b8f70084c50787ac0d7df48d622f1a16e4044b06c6b
                                                                                        • Instruction Fuzzy Hash: 88323474A006059FCB28CF59C481EAAB7F1FF48710B15C56EE49ADB7A1EB70E941CB44
                                                                                        Function 006EA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 006EA6AC
                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 006EA6BA
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 006EA79C
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 006EA7AB
                                                                                          • Part of subcall function 0067CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,006A3303,?), ref: 0067CE8A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 1991900642-0
                                                                                        • Opcode ID: 3aaa48bda2e6e221f61d9972d34909372fe2d76a71b1fc9dd7d0518b29676581
                                                                                        • Instruction ID: c20043665447becbd9d610b55feb35cf9df38d8a32aae050622a0a80d2219f21
                                                                                        • Opcode Fuzzy Hash: 3aaa48bda2e6e221f61d9972d34909372fe2d76a71b1fc9dd7d0518b29676581
                                                                                        • Instruction Fuzzy Hash: 12518D71508300AFD750EF65C886A6BBBE9FF89754F00891DF58997291EB30E904CBA6
                                                                                        Function 006CAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 006CAAAC
                                                                                        • SetKeyboardState.USER32(00000080), ref: 006CAAC8
                                                                                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 006CAB36
                                                                                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 006CAB88
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                        • String ID:
                                                                                        • API String ID: 432972143-0
                                                                                        • Opcode ID: cfeb215c317ef6de52e373875754ee9a39b3c7a7c5496faf0340609b694d6b7b
                                                                                        • Instruction ID: 007b2db71a03faacc819e1a4337caf12ff65c6f2335fc88e1699b7ad01796d7b
                                                                                        • Opcode Fuzzy Hash: cfeb215c317ef6de52e373875754ee9a39b3c7a7c5496faf0340609b694d6b7b
                                                                                        • Instruction Fuzzy Hash: BB31F370A4024CAFEB258AA4CC09FFA7BA7EB44324F04421EF181962D1D7758D81C766
                                                                                        Function 006DCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 006DCE89
                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 006DCEEA
                                                                                        • SetEvent.KERNEL32(?,?,00000000), ref: 006DCEFE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorEventFileInternetLastRead
                                                                                        • String ID:
                                                                                        • API String ID: 234945975-0
                                                                                        • Opcode ID: 6943f802daa9c0b406f00c4b6adcf8dd7f09552c09d176ae59ab3be0cea5b2ac
                                                                                        • Instruction ID: f1af27b7a86d70ece0c0663cb373425130a85d07cf0bf4e63ae76d2edd315f72
                                                                                        • Opcode Fuzzy Hash: 6943f802daa9c0b406f00c4b6adcf8dd7f09552c09d176ae59ab3be0cea5b2ac
                                                                                        • Instruction Fuzzy Hash: A221BDB190030A9BDB20DFA5C949BA777FEEF40364F10441EE546D2251E770EE05DB64
                                                                                        Function 006CDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(?,006A5222), ref: 006CDBCE
                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 006CDBDD
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 006CDBEE
                                                                                        • FindClose.KERNEL32(00000000), ref: 006CDBFA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 2695905019-0
                                                                                        • Opcode ID: 2387fd514fb65989fbc13f40ec65daa5bdc779fc415cd63a54a5ae4cc2ad6441
                                                                                        • Instruction ID: e5b1834e1c631d0ae5ba7ed3fbc5a4696fa7f032e9d717edcb4364d14001114c
                                                                                        • Opcode Fuzzy Hash: 2387fd514fb65989fbc13f40ec65daa5bdc779fc415cd63a54a5ae4cc2ad6441
                                                                                        • Instruction Fuzzy Hash: F3F0E57081091857C3206B7CAE0DDBA376EDE01374B10571AF836C22F0EBB06E55C6D5
                                                                                        Function 00692622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsDebuggerPresent.KERNEL32 ref: 0069271A
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00692724
                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00692731
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                        • String ID:
                                                                                        • API String ID: 3906539128-0
                                                                                        • Opcode ID: 1d7515fc7d84ff1413db551d8a0ab57bb69f71377449b9f24198114b22d6be66
                                                                                        • Instruction ID: 768e6e1a015028fb391ee9f68d537ba00fd6b3776cc4a1aa1ed3c43978d243b7
                                                                                        • Opcode Fuzzy Hash: 1d7515fc7d84ff1413db551d8a0ab57bb69f71377449b9f24198114b22d6be66
                                                                                        • Instruction Fuzzy Hash: CC31D47590121DABCB61DF68DD887DCBBB9AF08310F5042EAE81CA7261E7309F858F44
                                                                                        Function 006D51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 006D51DA
                                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006D5238
                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 006D52A1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 1682464887-0
                                                                                        • Opcode ID: 3ba486d2555cbb632decf979827266a11ddaf503015bff1ab2f126b306c5ec19
                                                                                        • Instruction ID: e726d0ae8c963e02170eab9c86accd33252b000b356c235f513044fa1e137907
                                                                                        • Opcode Fuzzy Hash: 3ba486d2555cbb632decf979827266a11ddaf503015bff1ab2f126b306c5ec19
                                                                                        • Instruction Fuzzy Hash: 3B314175A00518DFDB00DF54D884EADBBB5FF49314F048099E8459B352DB31E95ACB91
                                                                                        Function 006C16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0067FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00680668
                                                                                          • Part of subcall function 0067FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00680685
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006C170D
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006C173A
                                                                                        • GetLastError.KERNEL32 ref: 006C174A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                        • String ID:
                                                                                        • API String ID: 577356006-0
                                                                                        • Opcode ID: f9f873c0e55e58d32d9392deb5235e700741732d6bc0fbcf85bafdb13dbf693c
                                                                                        • Instruction ID: 9b053a01fa4881bf7959aef80b6f322a25ce78a1e1e8684d0c896e456f0eba1d
                                                                                        • Opcode Fuzzy Hash: f9f873c0e55e58d32d9392deb5235e700741732d6bc0fbcf85bafdb13dbf693c
                                                                                        • Instruction Fuzzy Hash: 6E1191B2404308FFD7289F54DC86E7AB7BAEF45764B20856EE05657241EB70BC42CB24
                                                                                        Function 006CD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006CD608
                                                                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 006CD645
                                                                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006CD650
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseControlCreateDeviceFileHandle
                                                                                        • String ID:
                                                                                        • API String ID: 33631002-0
                                                                                        • Opcode ID: c4ad24fb339482461e9b5977f4e12bbaa893a037a2d21c49223069e83058bfe6
                                                                                        • Instruction ID: da241d153c957ae5ba7c533d37f9c7d10fdcaa057ca63f79e8887ac0f5d1d63a
                                                                                        • Opcode Fuzzy Hash: c4ad24fb339482461e9b5977f4e12bbaa893a037a2d21c49223069e83058bfe6
                                                                                        • Instruction Fuzzy Hash: 83115E75E05228BFDB108F99DD45FAFBBBDEB45B60F108126F904E7290D6704A05CBA1
                                                                                        Function 006C1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006C168C
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006C16A1
                                                                                        • FreeSid.ADVAPI32(?), ref: 006C16B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID:
                                                                                        • API String ID: 3429775523-0
                                                                                        • Opcode ID: 57f784b50343ffbb50b14927fa8d5dc51b6154bead13a3d1b8ab43487c475640
                                                                                        • Instruction ID: 56049c8147a2912f344dd00db6aa0aec0eaaf373644b3074bcd868cf08d0e16f
                                                                                        • Opcode Fuzzy Hash: 57f784b50343ffbb50b14927fa8d5dc51b6154bead13a3d1b8ab43487c475640
                                                                                        • Instruction Fuzzy Hash: 46F0447194030CFBDB00CFE48D89EAEBBBDEB08210F004864E500E2181E731AA449A50
                                                                                        Function 00684CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(006928E9,?,00684CBE,006928E9,007288B8,0000000C,00684E15,006928E9,00000002,00000000,?,006928E9), ref: 00684D09
                                                                                        • TerminateProcess.KERNEL32(00000000,?,00684CBE,006928E9,007288B8,0000000C,00684E15,006928E9,00000002,00000000,?,006928E9), ref: 00684D10
                                                                                        • ExitProcess.KERNEL32 ref: 00684D22
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 1703294689-0
                                                                                        • Opcode ID: f4dad5bf76bbdca41ed19e8abc1afd31d517e3d7206330d1784d82974b4f9238
                                                                                        • Instruction ID: 88705dbc3f0d0100a9effe8b00d2d3116f813627cf5a141ba867909b10d24b13
                                                                                        • Opcode Fuzzy Hash: f4dad5bf76bbdca41ed19e8abc1afd31d517e3d7206330d1784d82974b4f9238
                                                                                        • Instruction Fuzzy Hash: 35E0B632000549ABCF12BF54DE09AA87B6BEF41791B104118FD058A622CF35ED52DB84
                                                                                        Function 0069C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: /
                                                                                        • API String ID: 0-2043925204
                                                                                        • Opcode ID: d56c87037d690ced7003c27e6ad3a83870c624e306f0c824512fd1ee670d3c6f
                                                                                        • Instruction ID: 442c6b68468e392cb8ef33a49c33c6b3d9478ce2c8b27e381c449f04f65d590f
                                                                                        • Opcode Fuzzy Hash: d56c87037d690ced7003c27e6ad3a83870c624e306f0c824512fd1ee670d3c6f
                                                                                        • Instruction Fuzzy Hash: CA412572500219ABCF209FB9CC48EEB77BEEB84364F504269F905D7680E6709E418B54
                                                                                        Function 006BD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 006BD28C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameUser
                                                                                        • String ID: X64
                                                                                        • API String ID: 2645101109-893830106
                                                                                        • Opcode ID: fd30e5ecc1948503b163b55416079d251cac5d82530a51b2a228647a1ae41a9f
                                                                                        • Instruction ID: de3afef0be66c9e428ad65daa0b5162ee74ea29c3dad4430fe7594d2b0eed422
                                                                                        • Opcode Fuzzy Hash: fd30e5ecc1948503b163b55416079d251cac5d82530a51b2a228647a1ae41a9f
                                                                                        • Instruction Fuzzy Hash: F9D0C9B480111DEACB94CBA0DC88DD9B37DBF04305F104555F106A2000DB30964A9F10
                                                                                        Function 0068CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                        • Instruction ID: 1d3b25c4c30b1eae85947abf45b484184dedffd407672fb1f8f29c269d8a98eb
                                                                                        • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                        • Instruction Fuzzy Hash: F5021C71E001199BDF14DFA9D8846EDBBF2FF48324F25826AD919EB380D731A941CB94
                                                                                        Function 0066CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Variable is not of type 'Object'.$p#s
                                                                                        • API String ID: 0-2564790187
                                                                                        • Opcode ID: 34850c5b663a74a3728396a563ac65e08cc7132723ef4e272bf0f24a0ed5612b
                                                                                        • Instruction ID: b0eb2b7afc05eed62aa3ebcca7900a68a8f0686c316370d157c695d59ae842c7
                                                                                        • Opcode Fuzzy Hash: 34850c5b663a74a3728396a563ac65e08cc7132723ef4e272bf0f24a0ed5612b
                                                                                        • Instruction Fuzzy Hash: 7D329C70900618DBDF14DF94C891AFEBBB7BF04314F148059E846AB392DB75AE86CB64
                                                                                        Function 006D68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 006D6918
                                                                                        • FindClose.KERNEL32(00000000), ref: 006D6961
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileFirst
                                                                                        • String ID:
                                                                                        • API String ID: 2295610775-0
                                                                                        • Opcode ID: 9a0ed65683a9b9af94eda893cd610f2f6c07cd9f7bd13ff7724603a1ff8de0a5
                                                                                        • Instruction ID: 661a78d5f00322dbe151cc68cba1ce0c6c0f1026952c01277cf18e5fdffdae2a
                                                                                        • Opcode Fuzzy Hash: 9a0ed65683a9b9af94eda893cd610f2f6c07cd9f7bd13ff7724603a1ff8de0a5
                                                                                        • Instruction Fuzzy Hash: EB118E316046019FC710DF69D494A26BBE6EF89328F14C69EF4698F3A2CB70EC05CB91
                                                                                        Function 006D37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,006E4891,?,?,00000035,?), ref: 006D37E4
                                                                                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,006E4891,?,?,00000035,?), ref: 006D37F4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFormatLastMessage
                                                                                        • String ID:
                                                                                        • API String ID: 3479602957-0
                                                                                        • Opcode ID: e8ed0dbfa89c3139c8a74e9e3a77397f330dc70e8bf916e47f2ab02afbc83ef7
                                                                                        • Instruction ID: c71083d312b018a0dd4e93a15a78d9aa56d64499544ebcc9a0b7be95a3739a5c
                                                                                        • Opcode Fuzzy Hash: e8ed0dbfa89c3139c8a74e9e3a77397f330dc70e8bf916e47f2ab02afbc83ef7
                                                                                        • Instruction Fuzzy Hash: 09F0E5B1A053292AE76027668C4DFEB3AAFEFC5771F000166F509E2381D9609D04C6B5
                                                                                        Function 006CB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 006CB25D
                                                                                        • keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 006CB270
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: InputSendkeybd_event
                                                                                        • String ID:
                                                                                        • API String ID: 3536248340-0
                                                                                        • Opcode ID: 7ecb5828565a90c10088c17c836561e255eb93361e7b22d5949fe5871f65ae67
                                                                                        • Instruction ID: 40cbd28bc3647a0f2b9ca8838fd0fe836107847319b6f8f1b32e0bf9ba5f8d78
                                                                                        • Opcode Fuzzy Hash: 7ecb5828565a90c10088c17c836561e255eb93361e7b22d5949fe5871f65ae67
                                                                                        • Instruction Fuzzy Hash: 20F01D7180424DABDB059FA4C806BFE7BB5FF04315F009409F955A5191C3799615DF94
                                                                                        Function 006C10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006C11FC), ref: 006C10D4
                                                                                        • CloseHandle.KERNEL32(?,?,006C11FC), ref: 006C10E9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                        • String ID:
                                                                                        • API String ID: 81990902-0
                                                                                        • Opcode ID: 2c3ed9cdcba1af6d78c220eea8b291a94bba2008431fbc2c40ec3a6d32166679
                                                                                        • Instruction ID: bf399bed2235b8afa44e9de88c3ae40cdf568c2b0508898d2a89878acdeb83ec
                                                                                        • Opcode Fuzzy Hash: 2c3ed9cdcba1af6d78c220eea8b291a94bba2008431fbc2c40ec3a6d32166679
                                                                                        • Instruction Fuzzy Hash: 78E04F32008600AEE7252B11FC05E7377AAEF05320B10C82DF4A5804B1DB626C90DB54
                                                                                        Function 0069676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00696766,?,?,00000008,?,?,0069FEFE,00000000), ref: 00696998
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionRaise
                                                                                        • String ID:
                                                                                        • API String ID: 3997070919-0
                                                                                        • Opcode ID: a7cf0911d459e4888353c1053b9ca3d5758d9b7c89ab650c75d957529b214ff3
                                                                                        • Instruction ID: 0b0067485d078677a99bcb73493c7245fa56e7fdb67abc954dec952e01f7f063
                                                                                        • Opcode Fuzzy Hash: a7cf0911d459e4888353c1053b9ca3d5758d9b7c89ab650c75d957529b214ff3
                                                                                        • Instruction Fuzzy Hash: 64B15A316107099FDB15CF28C58ABA57BE5FF05364F258658F89ACF6A2C335E982CB40
                                                                                        Function 0067B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID: 0-3916222277
                                                                                        • Opcode ID: 9c04099408675ab85758d2dc3061cbe2dda935c68a8a319965188734af9bb000
                                                                                        • Instruction ID: d308ed97430d481bc842b2ebbf03be2c3d879fb5cd390352c592ea3b7b2a37a6
                                                                                        • Opcode Fuzzy Hash: 9c04099408675ab85758d2dc3061cbe2dda935c68a8a319965188734af9bb000
                                                                                        • Instruction Fuzzy Hash: 481230B59002299FDB64CF58C8817EEB7F6FF48710F14819AE849EB255DB349E81CB90
                                                                                        Function 006DEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • BlockInput.USER32(00000001), ref: 006DEABD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: BlockInput
                                                                                        • String ID:
                                                                                        • API String ID: 3456056419-0
                                                                                        • Opcode ID: ed010f15dce5f366fb6296de843a43b8481e6c44c3ac29799bdac694e908c887
                                                                                        • Instruction ID: f13170e84c9a8f2136baac29fffc42d2fcd47e605e327b84f9070e8b29f90d37
                                                                                        • Opcode Fuzzy Hash: ed010f15dce5f366fb6296de843a43b8481e6c44c3ac29799bdac694e908c887
                                                                                        • Instruction Fuzzy Hash: 7CE04F316002099FC710EF5AD804E9AF7EAAF98770F04841BFC4ACB361DBB1E8418B94
                                                                                        Function 006809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006803EE), ref: 006809DA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: 9c195b0c2df08c9c40ff66a22985b34e1dffe551b54e7d2d28241e713db55a78
                                                                                        • Instruction ID: ed38ef6a95cdd628f02335c4cd2b12d259b8895808775b0a97ddc0e1b62d2481
                                                                                        • Opcode Fuzzy Hash: 9c195b0c2df08c9c40ff66a22985b34e1dffe551b54e7d2d28241e713db55a78
                                                                                        • Instruction Fuzzy Hash:
                                                                                        Function 0068781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0
                                                                                        • API String ID: 0-4108050209
                                                                                        • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                        • Instruction ID: 80f3ab037543d3c0620c48352130ffa09dc034d6cbefb6a4dbc5fa1728035918
                                                                                        • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                        • Instruction Fuzzy Hash: 495199A160C6055BDF38B528889D7FE279B9B12340F38072AD986D7382DA11DE42D35A
                                                                                        Function 006D2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0&s
                                                                                        • API String ID: 0-3522731808
                                                                                        • Opcode ID: ec39bbefbc42790704da8463545af7066556845b396b074f8cae5cc951e3df70
                                                                                        • Instruction ID: 11520940bea662c5b2866d5c90151b7292761e73c7435f0075e674154fff762f
                                                                                        • Opcode Fuzzy Hash: ec39bbefbc42790704da8463545af7066556845b396b074f8cae5cc951e3df70
                                                                                        • Instruction Fuzzy Hash: AB21DD327215118BD728CF79C82367E73E5A764310F15862EE4A7C37D1DE3AA904C784
                                                                                        Function 00696DD9 Relevance: .6, Instructions: 637COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5a0e8b95e5771799dfb5a07cd701a98de7685bf693f0febbc61a089623f0fbc2
                                                                                        • Instruction ID: 489559295b3dec4d8216d1d8e76a449bf599d5f9e97784cca8087ca46797c61f
                                                                                        • Opcode Fuzzy Hash: 5a0e8b95e5771799dfb5a07cd701a98de7685bf693f0febbc61a089623f0fbc2
                                                                                        • Instruction Fuzzy Hash: 54320222D39F018DDB279634C826335628EAFB73D5F15D727E81AB5EA6EF29C4834104
                                                                                        Function 0067CC39 Relevance: .6, Instructions: 635COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 764c20bf2398be85612cf27ecf86fa526a6e073e085e0c18b099073a69a9ef8e
                                                                                        • Instruction ID: 01ef1e2208f366fab06cbf131d405d9d005c7661af0eb56e49feca714357aa6e
                                                                                        • Opcode Fuzzy Hash: 764c20bf2398be85612cf27ecf86fa526a6e073e085e0c18b099073a69a9ef8e
                                                                                        • Instruction Fuzzy Hash: 9232F5B1A001158BDF39CF28C494AFD7BA3EB45330F28866AD4599B391D634DEC2DB50
                                                                                        Function 00667920 Relevance: .6, Instructions: 563COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ca01ba8e0def3038a5fbca2caf717e4aa07c0b9158eef0436b19b4e08f0eaf9c
                                                                                        • Instruction ID: 4f364e5e251224baf342bd4a386e4479421b25c2bbb3651ad5cef2fa426203b2
                                                                                        • Opcode Fuzzy Hash: ca01ba8e0def3038a5fbca2caf717e4aa07c0b9158eef0436b19b4e08f0eaf9c
                                                                                        • Instruction Fuzzy Hash: 0A229E70A04609AFDF14DFA4C881AEEB3F7FF49304F244629E816A7291EB35AD15CB54
                                                                                        Function 006691C0 Relevance: .5, Instructions: 475COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3018f2cba5536ba7fb6fb385341c2979cedd61bc14784bc608266714b71e3305
                                                                                        • Instruction ID: e35d0873c5cd5cd5df9fd945a59b0a58b0e7197f9fedd4d4ebb08ac3cd83718e
                                                                                        • Opcode Fuzzy Hash: 3018f2cba5536ba7fb6fb385341c2979cedd61bc14784bc608266714b71e3305
                                                                                        • Instruction Fuzzy Hash: 8C02A6B0A10105EBDB14EF54D981AAEB7B6FF45300F208169E816DB391EB35AE11CF95
                                                                                        Function 00681C77 Relevance: .3, Instructions: 254COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                        • Instruction ID: 92efa66387a5d8e3772ad5ded823a426d4a2c1fe4e5cd0eab3cdf05f7531f8a6
                                                                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                        • Instruction Fuzzy Hash: 489187726080A34ADB29563E85341BEFFE65E933A131A079DD4F2CE2C1FE24C956D720
                                                                                        Function 006819B0 Relevance: .2, Instructions: 240COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                        • Instruction ID: c6a00f8fefc83276aaf7e005eb89b6aeac8f4d82ca3d5a6ac2f100f19d547ab3
                                                                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                        • Instruction Fuzzy Hash: 049184722090E34ADB2D567A857407DFFEA5A933A231A079ED4F2CE2C1FE14C656D720
                                                                                        Function 00687A4A Relevance: .2, Instructions: 237COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c69126f1162fd8c2e9f4d8ddbeac2a66ab9fb71c72fff23dad7b1eca5ac62852
                                                                                        • Instruction ID: 61d35df3f994bc9a66b502874466f9db527002d4e3635a3ab4e59db9f9794505
                                                                                        • Opcode Fuzzy Hash: c69126f1162fd8c2e9f4d8ddbeac2a66ab9fb71c72fff23dad7b1eca5ac62852
                                                                                        • Instruction Fuzzy Hash: FF6169712087099ADE78BE288D95BFE6397DF51700F740B1DE842DB381DA11DE42C369
                                                                                        Function 00681706 Relevance: .2, Instructions: 232COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                        • Instruction ID: 1a09e913bffb570f35d804513104e3ded2b7a174478b9ebeb0df4501af2636ef
                                                                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                        • Instruction Fuzzy Hash: 6D8197726080A30ADB2D523A85354BEFFE75A933A131A079DD4F2CF2C1EE24C656D720
                                                                                        Function 0067D064 Relevance: .2, Instructions: 181COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a211b3e522018b24227d01d5ae69075bf535523e0d3b73ed2ef30ffa05330d27
                                                                                        • Instruction ID: a452aa31eb8929d6da348a950abb6b5a8dbd180516c7894ca1d1a794f425845a
                                                                                        • Opcode Fuzzy Hash: a211b3e522018b24227d01d5ae69075bf535523e0d3b73ed2ef30ffa05330d27
                                                                                        • Instruction Fuzzy Hash: 7F6180725496819FDB0ACF20C9D2480FFA8FEA3A10308D6DECD458F1AED765D604CB61
                                                                                        Function 006E2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteObject.GDI32(00000000), ref: 006E2B30
                                                                                        • DeleteObject.GDI32(00000000), ref: 006E2B43
                                                                                        • DestroyWindow.USER32 ref: 006E2B52
                                                                                        • GetDesktopWindow.USER32 ref: 006E2B6D
                                                                                        • GetWindowRect.USER32(00000000), ref: 006E2B74
                                                                                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 006E2CA3
                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 006E2CB1
                                                                                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006E2CF8
                                                                                        • GetClientRect.USER32(00000000,?), ref: 006E2D04
                                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006E2D40
                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006E2D62
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006E2D75
                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006E2D80
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 006E2D89
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006E2D98
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 006E2DA1
                                                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006E2DA8
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 006E2DB3
                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006E2DC5
                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,006FFC38,00000000), ref: 006E2DDB
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 006E2DEB
                                                                                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 006E2E11
                                                                                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 006E2E30
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006E2E52
                                                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006E303F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                                                        • API String ID: 2211948467-2373415609
                                                                                        • Opcode ID: d762f7f55d4609477f7b98a22b2a1989e1e9837c157dcd96aad17ca1dcb4547a
                                                                                        • Instruction ID: d3c20db473aa080b5c8d613a7e81fb08a0521846211b3234b1ee9ee201aec02b
                                                                                        • Opcode Fuzzy Hash: d762f7f55d4609477f7b98a22b2a1989e1e9837c157dcd96aad17ca1dcb4547a
                                                                                        • Instruction Fuzzy Hash: 44028C71900209EFDB14DF65CD89EAE7BBAFF48725F008158F915AB2A1DB74AD01CB60
                                                                                        Function 006F70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 006F712F
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 006F7160
                                                                                        • GetSysColor.USER32(0000000F), ref: 006F716C
                                                                                        • SetBkColor.GDI32(?,000000FF), ref: 006F7186
                                                                                        • SelectObject.GDI32(?,?), ref: 006F7195
                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 006F71C0
                                                                                        • GetSysColor.USER32(00000010), ref: 006F71C8
                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 006F71CF
                                                                                        • FrameRect.USER32(?,?,00000000), ref: 006F71DE
                                                                                        • DeleteObject.GDI32(00000000), ref: 006F71E5
                                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 006F7230
                                                                                        • FillRect.USER32(?,?,?), ref: 006F7262
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 006F7284
                                                                                          • Part of subcall function 006F73E8: GetSysColor.USER32(00000012), ref: 006F7421
                                                                                          • Part of subcall function 006F73E8: SetTextColor.GDI32(?,?), ref: 006F7425
                                                                                          • Part of subcall function 006F73E8: GetSysColorBrush.USER32(0000000F), ref: 006F743B
                                                                                          • Part of subcall function 006F73E8: GetSysColor.USER32(0000000F), ref: 006F7446
                                                                                          • Part of subcall function 006F73E8: GetSysColor.USER32(00000011), ref: 006F7463
                                                                                          • Part of subcall function 006F73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006F7471
                                                                                          • Part of subcall function 006F73E8: SelectObject.GDI32(?,00000000), ref: 006F7482
                                                                                          • Part of subcall function 006F73E8: SetBkColor.GDI32(?,00000000), ref: 006F748B
                                                                                          • Part of subcall function 006F73E8: SelectObject.GDI32(?,?), ref: 006F7498
                                                                                          • Part of subcall function 006F73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006F74B7
                                                                                          • Part of subcall function 006F73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006F74CE
                                                                                          • Part of subcall function 006F73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006F74DB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                        • String ID:
                                                                                        • API String ID: 4124339563-0
                                                                                        • Opcode ID: e079eb19884b02ff0deee3ce2e3f1a56b2495fc7a9c8129ee03dc6b1cb83058a
                                                                                        • Instruction ID: d2fdf6a60322e6b038fa62364eae7b03bcf4605200a35a79c43960fda503d83f
                                                                                        • Opcode Fuzzy Hash: e079eb19884b02ff0deee3ce2e3f1a56b2495fc7a9c8129ee03dc6b1cb83058a
                                                                                        • Instruction Fuzzy Hash: ABA19D72008309AFDB00DF64DD48EBB7BAAFB89330F101A19FA62961E1D771E955CB51
                                                                                        Function 00678D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(?,?), ref: 00678E14
                                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 006B6AC5
                                                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006B6AFE
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006B6F43
                                                                                          • Part of subcall function 00678F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00678BE8,?,00000000,?,?,?,?,00678BBA,00000000,?), ref: 00678FC5
                                                                                        • SendMessageW.USER32(?,00001053), ref: 006B6F7F
                                                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006B6F96
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 006B6FAC
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 006B6FB7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                        • String ID: 0
                                                                                        • API String ID: 2760611726-4108050209
                                                                                        • Opcode ID: 5f0ee86181aae7d3a0a254ec8fca5f79cd945d65dfd684ddbbfa14322e269bff
                                                                                        • Instruction ID: 44e04e5590c604376e266820da798615e0bdcdfb783c1527a444181b990b7da8
                                                                                        • Opcode Fuzzy Hash: 5f0ee86181aae7d3a0a254ec8fca5f79cd945d65dfd684ddbbfa14322e269bff
                                                                                        • Instruction Fuzzy Hash: C712AB70604245DFDB25CF24C958BFABBA7FB44310F548469F5898B261CB3AEC92CB51
                                                                                        Function 006E2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(00000000), ref: 006E273E
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006E286A
                                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006E28A9
                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006E28B9
                                                                                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 006E2900
                                                                                        • GetClientRect.USER32(00000000,?), ref: 006E290C
                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 006E2955
                                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006E2964
                                                                                        • GetStockObject.GDI32(00000011), ref: 006E2974
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 006E2978
                                                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 006E2988
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006E2991
                                                                                        • DeleteDC.GDI32(00000000), ref: 006E299A
                                                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006E29C6
                                                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 006E29DD
                                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 006E2A1D
                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006E2A31
                                                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 006E2A42
                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 006E2A77
                                                                                        • GetStockObject.GDI32(00000011), ref: 006E2A82
                                                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006E2A8D
                                                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 006E2A97
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                        • API String ID: 2910397461-517079104
                                                                                        • Opcode ID: 67dc135ee67e6ea2b788f4e85d619b5af93edb2755647ff7fa94883cc2b411a5
                                                                                        • Instruction ID: 8f5aa6b446fa48e6d7bb5c7bde5de0127f5cccee6a65b92b7c1861c9e98f5d30
                                                                                        • Opcode Fuzzy Hash: 67dc135ee67e6ea2b788f4e85d619b5af93edb2755647ff7fa94883cc2b411a5
                                                                                        • Instruction Fuzzy Hash: 86B17E71A00209AFEB14DFA9CD45FAF7BAAEB08711F008159F915E7290D774ED40CBA4
                                                                                        Function 006D4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 006D4AED
                                                                                        • GetDriveTypeW.KERNEL32(?,006FCB68,?,\\.\,006FCC08), ref: 006D4BCA
                                                                                        • SetErrorMode.KERNEL32(00000000,006FCB68,?,\\.\,006FCC08), ref: 006D4D36
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$DriveType
                                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                        • API String ID: 2907320926-4222207086
                                                                                        • Opcode ID: ab0b3b1b28303e9fc33466b146aeed5928c881d99d61762df2a3b7697e96b964
                                                                                        • Instruction ID: 19ad130a7e6530079cad3ab029906c2da86a98e28071a035b36a3f49f5825c9f
                                                                                        • Opcode Fuzzy Hash: ab0b3b1b28303e9fc33466b146aeed5928c881d99d61762df2a3b7697e96b964
                                                                                        • Instruction Fuzzy Hash: EE61AE70B16109DBCB14DF24DA829B877B3AB44304B20842BF806AB791DF3AED42DB55
                                                                                        Function 006F73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000012), ref: 006F7421
                                                                                        • SetTextColor.GDI32(?,?), ref: 006F7425
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 006F743B
                                                                                        • GetSysColor.USER32(0000000F), ref: 006F7446
                                                                                        • CreateSolidBrush.GDI32(?), ref: 006F744B
                                                                                        • GetSysColor.USER32(00000011), ref: 006F7463
                                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 006F7471
                                                                                        • SelectObject.GDI32(?,00000000), ref: 006F7482
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 006F748B
                                                                                        • SelectObject.GDI32(?,?), ref: 006F7498
                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 006F74B7
                                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006F74CE
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 006F74DB
                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006F752A
                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006F7554
                                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 006F7572
                                                                                        • DrawFocusRect.USER32(?,?), ref: 006F757D
                                                                                        • GetSysColor.USER32(00000011), ref: 006F758E
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 006F7596
                                                                                        • DrawTextW.USER32(?,006F70F5,000000FF,?,00000000), ref: 006F75A8
                                                                                        • SelectObject.GDI32(?,?), ref: 006F75BF
                                                                                        • DeleteObject.GDI32(?), ref: 006F75CA
                                                                                        • SelectObject.GDI32(?,?), ref: 006F75D0
                                                                                        • DeleteObject.GDI32(?), ref: 006F75D5
                                                                                        • SetTextColor.GDI32(?,?), ref: 006F75DB
                                                                                        • SetBkColor.GDI32(?,?), ref: 006F75E5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                        • String ID:
                                                                                        • API String ID: 1996641542-0
                                                                                        • Opcode ID: 502ac59eff3fe2f0a63b6b5e20a1126caec879c2229857049ac13a6c5f79c00e
                                                                                        • Instruction ID: 703faf68eeb949353fe819fe4e4e46af36ca3bf817fdf1f5f28d00e8f1a7436d
                                                                                        • Opcode Fuzzy Hash: 502ac59eff3fe2f0a63b6b5e20a1126caec879c2229857049ac13a6c5f79c00e
                                                                                        • Instruction Fuzzy Hash: CE615B7290421CAFDF01DFA8DD49EEEBFBAEB09320F115115FA15AB2A1D7709950CB90
                                                                                        Function 006F0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCursorPos.USER32(?), ref: 006F1128
                                                                                        • GetDesktopWindow.USER32 ref: 006F113D
                                                                                        • GetWindowRect.USER32(00000000), ref: 006F1144
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 006F1199
                                                                                        • DestroyWindow.USER32(?), ref: 006F11B9
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006F11ED
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006F120B
                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006F121D
                                                                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 006F1232
                                                                                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 006F1245
                                                                                        • IsWindowVisible.USER32(00000000), ref: 006F12A1
                                                                                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006F12BC
                                                                                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006F12D0
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 006F12E8
                                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 006F130E
                                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 006F1328
                                                                                        • CopyRect.USER32(?,?), ref: 006F133F
                                                                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 006F13AA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                        • String ID: ($0$tooltips_class32
                                                                                        • API String ID: 698492251-4156429822
                                                                                        • Opcode ID: 1b0b70271bfe43185353fd43e4c9f3ceb1fd28682edd5599ab39784c8ceffd61
                                                                                        • Instruction ID: 553c2dfae68c8620eff3ec939314f8cd452956053f35e976ffe00d65ac848f7a
                                                                                        • Opcode Fuzzy Hash: 1b0b70271bfe43185353fd43e4c9f3ceb1fd28682edd5599ab39784c8ceffd61
                                                                                        • Instruction Fuzzy Hash: 3FB19C71608345EFD740DF64C984BAABBE6FF85350F00891CFA999B261CB71E844CB95
                                                                                        Function 006F0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 006F02E5
                                                                                        • _wcslen.LIBCMT ref: 006F031F
                                                                                        • _wcslen.LIBCMT ref: 006F0389
                                                                                        • _wcslen.LIBCMT ref: 006F03F1
                                                                                        • _wcslen.LIBCMT ref: 006F0475
                                                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006F04C5
                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006F0504
                                                                                          • Part of subcall function 0067F9F2: _wcslen.LIBCMT ref: 0067F9FD
                                                                                          • Part of subcall function 006C223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006C2258
                                                                                          • Part of subcall function 006C223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006C228A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                        • API String ID: 1103490817-719923060
                                                                                        • Opcode ID: 7ae6422d357be99fef434fb44daa74685624d730e5ef0639ae780987584416f2
                                                                                        • Instruction ID: ba0b27ad559848c16c42d2c35604e52eca021bcafcd75eaab7bbcbc865ad51d1
                                                                                        • Opcode Fuzzy Hash: 7ae6422d357be99fef434fb44daa74685624d730e5ef0639ae780987584416f2
                                                                                        • Instruction Fuzzy Hash: CCE1CD312082058FDB54DF24C55197AB3E7BF88314F14896DFA96AB3A2DB30ED46CB91
                                                                                        Function 00678891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00678968
                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00678970
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0067899B
                                                                                        • GetSystemMetrics.USER32(00000008), ref: 006789A3
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 006789C8
                                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006789E5
                                                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006789F5
                                                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00678A28
                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00678A3C
                                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00678A5A
                                                                                        • GetStockObject.GDI32(00000011), ref: 00678A76
                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00678A81
                                                                                          • Part of subcall function 0067912D: GetCursorPos.USER32(?), ref: 00679141
                                                                                          • Part of subcall function 0067912D: ScreenToClient.USER32(00000000,?), ref: 0067915E
                                                                                          • Part of subcall function 0067912D: GetAsyncKeyState.USER32(00000001), ref: 00679183
                                                                                          • Part of subcall function 0067912D: GetAsyncKeyState.USER32(00000002), ref: 0067919D
                                                                                        • SetTimer.USER32(00000000,00000000,00000028,006790FC), ref: 00678AA8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                        • String ID: AutoIt v3 GUI
                                                                                        • API String ID: 1458621304-248962490
                                                                                        • Opcode ID: bc02a68f7e56a06797ec7598073c4ae65cf4b4b01738fcfa3955ddeccd1c5553
                                                                                        • Instruction ID: 8c93ee1536ebd07f5f6a4ca632c6c6710db086ef4fcaaaa65afd16255850ccb0
                                                                                        • Opcode Fuzzy Hash: bc02a68f7e56a06797ec7598073c4ae65cf4b4b01738fcfa3955ddeccd1c5553
                                                                                        • Instruction Fuzzy Hash: 01B17C71A402099FDB14DFA8CD49BEE3BB6FB48325F118129FA19A7290DB34E841CF55
                                                                                        Function 006C0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006C1114
                                                                                          • Part of subcall function 006C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,006C0B9B,?,?,?), ref: 006C1120
                                                                                          • Part of subcall function 006C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006C0B9B,?,?,?), ref: 006C112F
                                                                                          • Part of subcall function 006C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006C0B9B,?,?,?), ref: 006C1136
                                                                                          • Part of subcall function 006C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006C114D
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006C0DF5
                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006C0E29
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 006C0E40
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 006C0E7A
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006C0E96
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 006C0EAD
                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 006C0EB5
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 006C0EBC
                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006C0EDD
                                                                                        • CopySid.ADVAPI32(00000000), ref: 006C0EE4
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006C0F13
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006C0F35
                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006C0F47
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006C0F6E
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C0F75
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006C0F7E
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C0F85
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006C0F8E
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C0F95
                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 006C0FA1
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C0FA8
                                                                                          • Part of subcall function 006C1193: GetProcessHeap.KERNEL32(00000008,006C0BB1,?,00000000,?,006C0BB1,?), ref: 006C11A1
                                                                                          • Part of subcall function 006C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,006C0BB1,?), ref: 006C11A8
                                                                                          • Part of subcall function 006C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006C0BB1,?), ref: 006C11B7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                        • String ID:
                                                                                        • API String ID: 4175595110-0
                                                                                        • Opcode ID: 375ab45a2af673f0ddeb94b674c44d34ee46c8a9b95fa3001464fa4ed95cf3a4
                                                                                        • Instruction ID: 396223c45c60f68a56debf23652e7d7662713a8d262303a675b5a92a0561ed37
                                                                                        • Opcode Fuzzy Hash: 375ab45a2af673f0ddeb94b674c44d34ee46c8a9b95fa3001464fa4ed95cf3a4
                                                                                        • Instruction Fuzzy Hash: 77713C7190020AEBEF20DFA4DD44FFEBBBAFF05310F148119E929A6291D7719A55CB60
                                                                                        Function 006EC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006EC4BD
                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,006FCC08,00000000,?,00000000,?,?), ref: 006EC544
                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 006EC5A4
                                                                                        • _wcslen.LIBCMT ref: 006EC5F4
                                                                                        • _wcslen.LIBCMT ref: 006EC66F
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 006EC6B2
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 006EC7C1
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 006EC84D
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 006EC881
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 006EC88E
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 006EC960
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                        • API String ID: 9721498-966354055
                                                                                        • Opcode ID: d054d7fada9e8fbe95c040d180416a02137a828a2dd2320aede8b16529dbb8c5
                                                                                        • Instruction ID: 1f21341f312efa1acf1730f6ef3df1f71f26b5593dd17fdeffe3f75fefec69e2
                                                                                        • Opcode Fuzzy Hash: d054d7fada9e8fbe95c040d180416a02137a828a2dd2320aede8b16529dbb8c5
                                                                                        • Instruction Fuzzy Hash: 3E127B356043419FD754DF15C881A6AB7E6FF88724F14889DF88A9B3A2DB31EC42CB85
                                                                                        Function 006F091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 006F09C6
                                                                                        • _wcslen.LIBCMT ref: 006F0A01
                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006F0A54
                                                                                        • _wcslen.LIBCMT ref: 006F0A8A
                                                                                        • _wcslen.LIBCMT ref: 006F0B06
                                                                                        • _wcslen.LIBCMT ref: 006F0B81
                                                                                          • Part of subcall function 0067F9F2: _wcslen.LIBCMT ref: 0067F9FD
                                                                                          • Part of subcall function 006C2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006C2BFA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                        • API String ID: 1103490817-4258414348
                                                                                        • Opcode ID: 15d20a995720b020964132304429bafdf0c38d9df9339c9fc5fdd4cac617b6b7
                                                                                        • Instruction ID: 63d9486fe608ef5181322b35cdf47fce1ee1fdd44b8f67cbff0beb37b6b3514a
                                                                                        • Opcode Fuzzy Hash: 15d20a995720b020964132304429bafdf0c38d9df9339c9fc5fdd4cac617b6b7
                                                                                        • Instruction Fuzzy Hash: EFE187352083059FCB54DF24C45097AB7E3BF98318B10899DF99A9B3A2DB31ED46CB81
                                                                                        Function 006EC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                        • API String ID: 1256254125-909552448
                                                                                        • Opcode ID: 4893947def8dfc29066c4416f24ea2cb1ce913dcc0851554be8f20d2c8b1aadf
                                                                                        • Instruction ID: fbd9a34d8e185c26e214d04df074ef2dcc58805666c8266adfcbffac58379b73
                                                                                        • Opcode Fuzzy Hash: 4893947def8dfc29066c4416f24ea2cb1ce913dcc0851554be8f20d2c8b1aadf
                                                                                        • Instruction Fuzzy Hash: F471F6326013AA8BCB20DE7ED9515FE33A7AB60774B214538F86697384E635CD47C7A0
                                                                                        Function 006F833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 006F835A
                                                                                        • _wcslen.LIBCMT ref: 006F836E
                                                                                        • _wcslen.LIBCMT ref: 006F8391
                                                                                        • _wcslen.LIBCMT ref: 006F83B4
                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006F83F2
                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006F5BF2), ref: 006F844E
                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006F8487
                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006F84CA
                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006F8501
                                                                                        • FreeLibrary.KERNEL32(?), ref: 006F850D
                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006F851D
                                                                                        • DestroyIcon.USER32(?,?,?,?,?,006F5BF2), ref: 006F852C
                                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006F8549
                                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006F8555
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                        • String ID: .dll$.exe$.icl
                                                                                        • API String ID: 799131459-1154884017
                                                                                        • Opcode ID: b3d43897269b1dd69b6bc3b276b7a5ce77fd53924cdba78f16d9acea2c2f09ef
                                                                                        • Instruction ID: 009b165381b1e0cfdecd12b13a6fdf4923e426edfec39e7457a8f754474cc641
                                                                                        • Opcode Fuzzy Hash: b3d43897269b1dd69b6bc3b276b7a5ce77fd53924cdba78f16d9acea2c2f09ef
                                                                                        • Instruction Fuzzy Hash: 7761AE7290021ABEEB14DF64CC45BFE77AABB08721F10464AFA15D71D1DF74AA90C7A0
                                                                                        Function 00667778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                        • API String ID: 0-1645009161
                                                                                        • Opcode ID: 916300f641860fb9a1bc3f58c9ab9588c0a92a29b56a8db788d8a7a194c08e9c
                                                                                        • Instruction ID: 8e6cefca8c987e793700d91689853709e4e0850c758a1ad8a504342669430f60
                                                                                        • Opcode Fuzzy Hash: 916300f641860fb9a1bc3f58c9ab9588c0a92a29b56a8db788d8a7a194c08e9c
                                                                                        • Instruction Fuzzy Hash: 6A81A471644205BBDB60BF60DC46FBA3BABAF15304F144029F905AB296EB70DD11CBA9
                                                                                        Function 006C5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadIconW.USER32(00000063), ref: 006C5A2E
                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006C5A40
                                                                                        • SetWindowTextW.USER32(?,?), ref: 006C5A57
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 006C5A6C
                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 006C5A72
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 006C5A82
                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 006C5A88
                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006C5AA9
                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006C5AC3
                                                                                        • GetWindowRect.USER32(?,?), ref: 006C5ACC
                                                                                        • _wcslen.LIBCMT ref: 006C5B33
                                                                                        • SetWindowTextW.USER32(?,?), ref: 006C5B6F
                                                                                        • GetDesktopWindow.USER32 ref: 006C5B75
                                                                                        • GetWindowRect.USER32(00000000), ref: 006C5B7C
                                                                                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 006C5BD3
                                                                                        • GetClientRect.USER32(?,?), ref: 006C5BE0
                                                                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 006C5C05
                                                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006C5C2F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 895679908-0
                                                                                        • Opcode ID: f657bfa665cb0778b37d97e1c390755165e453cd6c69f3248b0ce7d895ac2dc3
                                                                                        • Instruction ID: a4de8e3465eeefc83e911615cc9dd15b6e437a97f23bc55847c564f6e58694c9
                                                                                        • Opcode Fuzzy Hash: f657bfa665cb0778b37d97e1c390755165e453cd6c69f3248b0ce7d895ac2dc3
                                                                                        • Instruction Fuzzy Hash: AC714931900B09AFDB20DFA9CE95FBEBBF6EB48714F10451CE142A26A0D775B984CB50
                                                                                        Function 006C30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen
                                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[r
                                                                                        • API String ID: 176396367-1580549998
                                                                                        • Opcode ID: 87e1122eb308672ed6f7bfe6ccbccfcdea48d123e3d6df937b5edb4c823deba3
                                                                                        • Instruction ID: 1f33650f3369bbc4fd61f5b8ecc86c0b3707a6cb499e89d5f391efb1dba3dbd3
                                                                                        • Opcode Fuzzy Hash: 87e1122eb308672ed6f7bfe6ccbccfcdea48d123e3d6df937b5edb4c823deba3
                                                                                        • Instruction Fuzzy Hash: 26E19231A00536AACB589FA8C451FFDBBA6FF54710F54C22EE456A7340DB30AF458790
                                                                                        Function 006800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006800C6
                                                                                          • Part of subcall function 006800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0073070C,00000FA0,64F317F0,?,?,?,?,006A23B3,000000FF), ref: 0068011C
                                                                                          • Part of subcall function 006800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006A23B3,000000FF), ref: 00680127
                                                                                          • Part of subcall function 006800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006A23B3,000000FF), ref: 00680138
                                                                                          • Part of subcall function 006800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0068014E
                                                                                          • Part of subcall function 006800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0068015C
                                                                                          • Part of subcall function 006800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0068016A
                                                                                          • Part of subcall function 006800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00680195
                                                                                          • Part of subcall function 006800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006801A0
                                                                                        • ___scrt_fastfail.LIBCMT ref: 006800E7
                                                                                          • Part of subcall function 006800A3: __onexit.LIBCMT ref: 006800A9
                                                                                        Strings
                                                                                        • InitializeConditionVariable, xrefs: 00680148
                                                                                        • WakeAllConditionVariable, xrefs: 00680162
                                                                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00680122
                                                                                        • SleepConditionVariableCS, xrefs: 00680154
                                                                                        • kernel32.dll, xrefs: 00680133
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                        • API String ID: 66158676-1714406822
                                                                                        • Opcode ID: 80ae9084047e2819dbaf0ab78e717d73db14e970f3126e14e43acb735908b9a7
                                                                                        • Instruction ID: 79bdd7655274992b7b49802b7909ed9dd4d44a24b9c21a067ce00314ef9f83f7
                                                                                        • Opcode Fuzzy Hash: 80ae9084047e2819dbaf0ab78e717d73db14e970f3126e14e43acb735908b9a7
                                                                                        • Instruction Fuzzy Hash: 892129326407096BFB607BB4AC0AB7D3397DF45B71F114A39F941A2391DB649C08CB94
                                                                                        Function 006D44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(00000000,00000000,006FCC08), ref: 006D4527
                                                                                        • _wcslen.LIBCMT ref: 006D453B
                                                                                        • _wcslen.LIBCMT ref: 006D4599
                                                                                        • _wcslen.LIBCMT ref: 006D45F4
                                                                                        • _wcslen.LIBCMT ref: 006D463F
                                                                                        • _wcslen.LIBCMT ref: 006D46A7
                                                                                          • Part of subcall function 0067F9F2: _wcslen.LIBCMT ref: 0067F9FD
                                                                                        • GetDriveTypeW.KERNEL32(?,00726BF0,00000061), ref: 006D4743
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$BuffCharDriveLowerType
                                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                        • API String ID: 2055661098-1000479233
                                                                                        • Opcode ID: a1863a6a52e8fafe61128610d2b04cc9051ccb59a1c78a49573c8c1c65fb4d14
                                                                                        • Instruction ID: 1129a3ef3ee5fa424cd6cfdc975cc9e0dcfe8f0ec878e43d8a84fd50ad2f7cca
                                                                                        • Opcode Fuzzy Hash: a1863a6a52e8fafe61128610d2b04cc9051ccb59a1c78a49573c8c1c65fb4d14
                                                                                        • Instruction Fuzzy Hash: 41B1E171A083429FC710DF28D890ABAB7E6AFA5760F50491EF596C7391DB30DC45CBA2
                                                                                        Function 006F911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00679BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00679BB2
                                                                                        • DragQueryPoint.SHELL32(?,?), ref: 006F9147
                                                                                          • Part of subcall function 006F7674: ClientToScreen.USER32(?,?), ref: 006F769A
                                                                                          • Part of subcall function 006F7674: GetWindowRect.USER32(?,?), ref: 006F7710
                                                                                          • Part of subcall function 006F7674: PtInRect.USER32(?,?,006F8B89), ref: 006F7720
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 006F91B0
                                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006F91BB
                                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006F91DE
                                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 006F9225
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 006F923E
                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 006F9255
                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 006F9277
                                                                                        • DragFinish.SHELL32(?), ref: 006F927E
                                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006F9371
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#s
                                                                                        • API String ID: 221274066-3108310235
                                                                                        • Opcode ID: 5f73cbde33ec92fb290e860fbec8bba29c4c5f9a993bde34ea911924c9ad086b
                                                                                        • Instruction ID: c818e4878b6dffb5735a9046861d35bbda1341e58d8ad30b3324d5d5529737dc
                                                                                        • Opcode Fuzzy Hash: 5f73cbde33ec92fb290e860fbec8bba29c4c5f9a993bde34ea911924c9ad086b
                                                                                        • Instruction Fuzzy Hash: 08619C71108305AFD701DF60DD85EAFBBEAEF89760F000A2DF595931A1DB309A49CB66
                                                                                        Function 006EAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 006EB198
                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006EB1B0
                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006EB1D4
                                                                                        • _wcslen.LIBCMT ref: 006EB200
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006EB214
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006EB236
                                                                                        • _wcslen.LIBCMT ref: 006EB332
                                                                                          • Part of subcall function 006D05A7: GetStdHandle.KERNEL32(000000F6), ref: 006D05C6
                                                                                        • _wcslen.LIBCMT ref: 006EB34B
                                                                                        • _wcslen.LIBCMT ref: 006EB366
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006EB3B6
                                                                                        • GetLastError.KERNEL32(00000000), ref: 006EB407
                                                                                        • CloseHandle.KERNEL32(?), ref: 006EB439
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 006EB44A
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 006EB45C
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 006EB46E
                                                                                        • CloseHandle.KERNEL32(?), ref: 006EB4E3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2178637699-0
                                                                                        • Opcode ID: 5e0b1145cfe8af8a3c48e425592132a1f1ca0b1826eaa67916a530981cab5012
                                                                                        • Instruction ID: c3844967ae81470426fe26332628683943f56aa53afb31edf6c306f6d11dbef4
                                                                                        • Opcode Fuzzy Hash: 5e0b1145cfe8af8a3c48e425592132a1f1ca0b1826eaa67916a530981cab5012
                                                                                        • Instruction Fuzzy Hash: 8EF19A315093809FC754EF25C891B6FBBE2AF85314F14855DF8998B2A2DB31EC44CB96
                                                                                        Function 0066326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenuItemCount.USER32(00731990), ref: 006A2F8D
                                                                                        • GetMenuItemCount.USER32(00731990), ref: 006A303D
                                                                                        • GetCursorPos.USER32(?), ref: 006A3081
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 006A308A
                                                                                        • TrackPopupMenuEx.USER32(00731990,00000000,?,00000000,00000000,00000000), ref: 006A309D
                                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006A30A9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                        • String ID: 0
                                                                                        • API String ID: 36266755-4108050209
                                                                                        • Opcode ID: 2373968e8242a363cdb8bd698f1c92a4ef9bc073ffe215527de7325d87bbed54
                                                                                        • Instruction ID: d40fc96c7f71fdb3f132ccb9e849674e00676ce960b6069a3d0ba93e5c285326
                                                                                        • Opcode Fuzzy Hash: 2373968e8242a363cdb8bd698f1c92a4ef9bc073ffe215527de7325d87bbed54
                                                                                        • Instruction Fuzzy Hash: 32711870684216BEEB219F28CD59FEABF6AFF01324F204206F5156A3E0C7B1AD54DB50
                                                                                        Function 006F6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(?,?), ref: 006F6DEB
                                                                                          • Part of subcall function 00666B57: _wcslen.LIBCMT ref: 00666B6A
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006F6E5F
                                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006F6E81
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006F6E94
                                                                                        • DestroyWindow.USER32(?), ref: 006F6EB5
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00660000,00000000), ref: 006F6EE4
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006F6EFD
                                                                                        • GetDesktopWindow.USER32 ref: 006F6F16
                                                                                        • GetWindowRect.USER32(00000000), ref: 006F6F1D
                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006F6F35
                                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006F6F4D
                                                                                          • Part of subcall function 00679944: GetWindowLongW.USER32(?,000000EB), ref: 00679952
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                        • String ID: 0$tooltips_class32
                                                                                        • API String ID: 2429346358-3619404913
                                                                                        • Opcode ID: 44fbba737c831038fb8303e25dba5fc264d3747636a07d9e938e3419fde4a074
                                                                                        • Instruction ID: da20278df64a9c2fb40e1250cf23ed1cf1fb76b3f8c88c55173115d15208cf21
                                                                                        • Opcode Fuzzy Hash: 44fbba737c831038fb8303e25dba5fc264d3747636a07d9e938e3419fde4a074
                                                                                        • Instruction Fuzzy Hash: 2E715875104248AFEB21CF18D844BBABBEAFB89314F44841DFA9987261C774AD06DB15
                                                                                        Function 006DC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006DC4B0
                                                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006DC4C3
                                                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006DC4D7
                                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 006DC4F0
                                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 006DC533
                                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 006DC549
                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006DC554
                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006DC584
                                                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006DC5DC
                                                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006DC5F0
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 006DC5FB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                        • String ID:
                                                                                        • API String ID: 3800310941-3916222277
                                                                                        • Opcode ID: 4ae344b49dc3e332333839c1951de4860bd65cfe8840468bb3c312789df88204
                                                                                        • Instruction ID: a52987b4b07467ee748cf7f1f60319d965ad5b04ca297fd3d5114a41741393bc
                                                                                        • Opcode Fuzzy Hash: 4ae344b49dc3e332333839c1951de4860bd65cfe8840468bb3c312789df88204
                                                                                        • Instruction Fuzzy Hash: 59514BB190020EBFDB219F65D948ABA7BFEEF48764F00451AF94596310DB30EA54DB60
                                                                                        Function 006F856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 006F8592
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006F85A2
                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006F85AD
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006F85BA
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 006F85C8
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006F85D7
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 006F85E0
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006F85E7
                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006F85F8
                                                                                        • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,006FFC38,?), ref: 006F8611
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 006F8621
                                                                                        • GetObjectW.GDI32(?,00000018,?), ref: 006F8641
                                                                                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 006F8671
                                                                                        • DeleteObject.GDI32(?), ref: 006F8699
                                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006F86AF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                        • String ID:
                                                                                        • API String ID: 3840717409-0
                                                                                        • Opcode ID: c70e595e1a61d5d0aad337b20a5f9909ec608867bf88641872b2749725db9af5
                                                                                        • Instruction ID: b16f1a4acd22d44c768a8bee7fb6df0f459d186692af9b6a080c07d4e3377a1d
                                                                                        • Opcode Fuzzy Hash: c70e595e1a61d5d0aad337b20a5f9909ec608867bf88641872b2749725db9af5
                                                                                        • Instruction Fuzzy Hash: 52410A75600208AFDB11DFA5DD48EBA7BBAFF8A765F104058F905E7260DB309E05DB60
                                                                                        Function 006D14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(00000000), ref: 006D1502
                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 006D150B
                                                                                        • VariantClear.OLEAUT32(?), ref: 006D1517
                                                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006D15FB
                                                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 006D1657
                                                                                        • VariantInit.OLEAUT32(?), ref: 006D1708
                                                                                        • SysFreeString.OLEAUT32(?), ref: 006D178C
                                                                                        • VariantClear.OLEAUT32(?), ref: 006D17D8
                                                                                        • VariantClear.OLEAUT32(?), ref: 006D17E7
                                                                                        • VariantInit.OLEAUT32(00000000), ref: 006D1823
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                        • API String ID: 1234038744-3931177956
                                                                                        • Opcode ID: ddb59ba022a685b61294cd01cbb4735ae725f932a1555afd5f548980c2686238
                                                                                        • Instruction ID: 7c120c98f05afe1357fc652afa31bfb33e8e9e5e1b5b81d3409642a5875385ca
                                                                                        • Opcode Fuzzy Hash: ddb59ba022a685b61294cd01cbb4735ae725f932a1555afd5f548980c2686238
                                                                                        • Instruction Fuzzy Hash: 44D1CFB1E00115EBDB109F65E885BB9B7B7BF46700F20805BE406AF390DBB8D846DB61
                                                                                        Function 006EB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                          • Part of subcall function 006EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006EB6AE,?,?), ref: 006EC9B5
                                                                                          • Part of subcall function 006EC998: _wcslen.LIBCMT ref: 006EC9F1
                                                                                          • Part of subcall function 006EC998: _wcslen.LIBCMT ref: 006ECA68
                                                                                          • Part of subcall function 006EC998: _wcslen.LIBCMT ref: 006ECA9E
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006EB6F4
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006EB772
                                                                                        • RegDeleteValueW.ADVAPI32(?,?), ref: 006EB80A
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 006EB87E
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 006EB89C
                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 006EB8F2
                                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006EB904
                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 006EB922
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 006EB983
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 006EB994
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                        • API String ID: 146587525-4033151799
                                                                                        • Opcode ID: 6bdc18c906e6e88b53de90c1c7b03bfa2484dd1e372c126a597547d142b98398
                                                                                        • Instruction ID: a783b576af87cb72d1ac4cbb157335538fe83614ec6c4c0979d8e5fc83b56bd2
                                                                                        • Opcode Fuzzy Hash: 6bdc18c906e6e88b53de90c1c7b03bfa2484dd1e372c126a597547d142b98398
                                                                                        • Instruction Fuzzy Hash: 7AC18A30205341AFD714DF15C494F6ABBE6AF85318F14959CE49A8B3A2CB71EC46CB91
                                                                                        Function 006E255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 006E25D8
                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006E25E8
                                                                                        • CreateCompatibleDC.GDI32(?), ref: 006E25F4
                                                                                        • SelectObject.GDI32(00000000,?), ref: 006E2601
                                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 006E266D
                                                                                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006E26AC
                                                                                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006E26D0
                                                                                        • SelectObject.GDI32(?,?), ref: 006E26D8
                                                                                        • DeleteObject.GDI32(?), ref: 006E26E1
                                                                                        • DeleteDC.GDI32(?), ref: 006E26E8
                                                                                        • ReleaseDC.USER32(00000000,?), ref: 006E26F3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                        • String ID: (
                                                                                        • API String ID: 2598888154-3887548279
                                                                                        • Opcode ID: a709f60b1dd57480965246b7aa8d906b8bef096b1f0f0147ac523006e0c4b92a
                                                                                        • Instruction ID: f235ba4b56fa8637adc589965c8eec00527bb54c59dd3f2b4edb218ee0b94f23
                                                                                        • Opcode Fuzzy Hash: a709f60b1dd57480965246b7aa8d906b8bef096b1f0f0147ac523006e0c4b92a
                                                                                        • Instruction Fuzzy Hash: 2A610275D00219EFCF04CFA8D984EAEBBBAFF48310F208529E955A7250E771A951CF64
                                                                                        Function 0069DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ___free_lconv_mon.LIBCMT ref: 0069DAA1
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D659
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D66B
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D67D
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D68F
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D6A1
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D6B3
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D6C5
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D6D7
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D6E9
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D6FB
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D70D
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D71F
                                                                                          • Part of subcall function 0069D63C: _free.LIBCMT ref: 0069D731
                                                                                        • _free.LIBCMT ref: 0069DA96
                                                                                          • Part of subcall function 006929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000), ref: 006929DE
                                                                                          • Part of subcall function 006929C8: GetLastError.KERNEL32(00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000,00000000), ref: 006929F0
                                                                                        • _free.LIBCMT ref: 0069DAB8
                                                                                        • _free.LIBCMT ref: 0069DACD
                                                                                        • _free.LIBCMT ref: 0069DAD8
                                                                                        • _free.LIBCMT ref: 0069DAFA
                                                                                        • _free.LIBCMT ref: 0069DB0D
                                                                                        • _free.LIBCMT ref: 0069DB1B
                                                                                        • _free.LIBCMT ref: 0069DB26
                                                                                        • _free.LIBCMT ref: 0069DB5E
                                                                                        • _free.LIBCMT ref: 0069DB65
                                                                                        • _free.LIBCMT ref: 0069DB82
                                                                                        • _free.LIBCMT ref: 0069DB9A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                        • String ID:
                                                                                        • API String ID: 161543041-0
                                                                                        • Opcode ID: 61bf610d69789c1248776f5c54a02fc866e4b9f4770aac6edcd554552c009b31
                                                                                        • Instruction ID: fc824f8dbb7cbba10691eaff1bf660171cf546c4c0efa61c52f650d1e95edce4
                                                                                        • Opcode Fuzzy Hash: 61bf610d69789c1248776f5c54a02fc866e4b9f4770aac6edcd554552c009b31
                                                                                        • Instruction Fuzzy Hash: 09316D71604306AFEF61AA39E845B9AB7EEFF10720F51442DE448D7A91DF31AC50C764
                                                                                        Function 006C365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 006C369C
                                                                                        • _wcslen.LIBCMT ref: 006C36A7
                                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006C3797
                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 006C380C
                                                                                        • GetDlgCtrlID.USER32(?), ref: 006C385D
                                                                                        • GetWindowRect.USER32(?,?), ref: 006C3882
                                                                                        • GetParent.USER32(?), ref: 006C38A0
                                                                                        • ScreenToClient.USER32(00000000), ref: 006C38A7
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 006C3921
                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 006C395D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                        • String ID: %s%u
                                                                                        • API String ID: 4010501982-679674701
                                                                                        • Opcode ID: 58157b6e243c2dbedee27533024ff66646ee3484ce7b00b2c08ceebcca61ddfb
                                                                                        • Instruction ID: bbc655a414635e02c71ce1f73f1924716afbac56c8e11abf4613b0454a92ec01
                                                                                        • Opcode Fuzzy Hash: 58157b6e243c2dbedee27533024ff66646ee3484ce7b00b2c08ceebcca61ddfb
                                                                                        • Instruction Fuzzy Hash: DA91A171204616AFD719DF24C885FFAB7AAFF44350F00861DF999D2290EB30EA45CBA1
                                                                                        Function 006C4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 006C4994
                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 006C49DA
                                                                                        • _wcslen.LIBCMT ref: 006C49EB
                                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 006C49F7
                                                                                        • _wcsstr.LIBVCRUNTIME ref: 006C4A2C
                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 006C4A64
                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 006C4A9D
                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 006C4AE6
                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 006C4B20
                                                                                        • GetWindowRect.USER32(?,?), ref: 006C4B8B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                        • String ID: ThumbnailClass
                                                                                        • API String ID: 1311036022-1241985126
                                                                                        • Opcode ID: 64e6780f4651705f652e3a49323906955a23643d504d2d760a37537a5bb69788
                                                                                        • Instruction ID: df361359e5c9a01b1da97c076e7c2a54b443417f7609a822e2061c38d8fd2012
                                                                                        • Opcode Fuzzy Hash: 64e6780f4651705f652e3a49323906955a23643d504d2d760a37537a5bb69788
                                                                                        • Instruction Fuzzy Hash: A7919C711082099BDB04DF14C9A5FBA77EAEF84314F04846EFD859A296DF30ED45CBA1
                                                                                        Function 006F8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00679BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00679BB2
                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006F8D5A
                                                                                        • GetFocus.USER32 ref: 006F8D6A
                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 006F8D75
                                                                                        • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 006F8E1D
                                                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006F8ECF
                                                                                        • GetMenuItemCount.USER32(?), ref: 006F8EEC
                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 006F8EFC
                                                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006F8F2E
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006F8F70
                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006F8FA1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                        • String ID: 0
                                                                                        • API String ID: 1026556194-4108050209
                                                                                        • Opcode ID: 4894006bfaef164e06611a2e20aa4224e1d8ab536ef13e1d47d5d06ecbac154a
                                                                                        • Instruction ID: 8fe9a2440c29272853621a2bfd481bd36f639a3f13135b9f6e7fffd2523b5ee1
                                                                                        • Opcode Fuzzy Hash: 4894006bfaef164e06611a2e20aa4224e1d8ab536ef13e1d47d5d06ecbac154a
                                                                                        • Instruction Fuzzy Hash: 8F817971508309AFDB10CF24C884ABB7BEABF98364F14099DFA8497291DB30D905CBA1
                                                                                        Function 006CDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 006CDC20
                                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006CDC46
                                                                                        • _wcslen.LIBCMT ref: 006CDC50
                                                                                        • _wcsstr.LIBVCRUNTIME ref: 006CDCA0
                                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006CDCBC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                        • API String ID: 1939486746-1459072770
                                                                                        • Opcode ID: 8923e8c954b78d92df09add6926eb6c7b3d8cd48d551c8e812bd7b2079371106
                                                                                        • Instruction ID: 182c9885f65acdd63aef0473feb2955f7bb33b8bde544b6c8640557625760b48
                                                                                        • Opcode Fuzzy Hash: 8923e8c954b78d92df09add6926eb6c7b3d8cd48d551c8e812bd7b2079371106
                                                                                        • Instruction Fuzzy Hash: D04124729402047ADB10B774DC43FFF37AEDF42720F10416EF905A6182EA74AA0197B8
                                                                                        Function 006ECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006ECC64
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 006ECC8D
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006ECD48
                                                                                          • Part of subcall function 006ECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 006ECCAA
                                                                                          • Part of subcall function 006ECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 006ECCBD
                                                                                          • Part of subcall function 006ECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006ECCCF
                                                                                          • Part of subcall function 006ECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006ECD05
                                                                                          • Part of subcall function 006ECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006ECD28
                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 006ECCF3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                        • API String ID: 2734957052-4033151799
                                                                                        • Opcode ID: 65bd119eeeb97be1d2e55e72af8b2e499a78a30d97ac7bc75aa2e04c4925d437
                                                                                        • Instruction ID: 19c60e67e2da3a44ccb8c03b4cf3ffb1ea8553a070b415dbd5ccfa69c7ff165c
                                                                                        • Opcode Fuzzy Hash: 65bd119eeeb97be1d2e55e72af8b2e499a78a30d97ac7bc75aa2e04c4925d437
                                                                                        • Instruction Fuzzy Hash: 7F318F7190222DBBDB208B55DD88EFFBB7EEF45760F000165B905E2240DB349A46DAA0
                                                                                        Function 006CE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • timeGetTime.WINMM ref: 006CE6B4
                                                                                          • Part of subcall function 0067E551: timeGetTime.WINMM(?,?,006CE6D4), ref: 0067E555
                                                                                        • Sleep.KERNEL32(0000000A), ref: 006CE6E1
                                                                                        • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 006CE705
                                                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006CE727
                                                                                        • SetActiveWindow.USER32 ref: 006CE746
                                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006CE754
                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 006CE773
                                                                                        • Sleep.KERNEL32(000000FA), ref: 006CE77E
                                                                                        • IsWindow.USER32 ref: 006CE78A
                                                                                        • EndDialog.USER32(00000000), ref: 006CE79B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                        • String ID: BUTTON
                                                                                        • API String ID: 1194449130-3405671355
                                                                                        • Opcode ID: 4169c924e00444d4c0336161cb01f4cbbd18f1c138b29196334fb3696a2decdf
                                                                                        • Instruction ID: 7f94123533b3c90a916c162e33e576cf25b202f52dcf835f5fe7f33f7c42780d
                                                                                        • Opcode Fuzzy Hash: 4169c924e00444d4c0336161cb01f4cbbd18f1c138b29196334fb3696a2decdf
                                                                                        • Instruction Fuzzy Hash: 60218771340608EFFB005F61ED8AF353B7BFB54759B10A429F405C1662DB76AC11DA28
                                                                                        Function 006CE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006CEA5D
                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006CEA73
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006CEA84
                                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006CEA96
                                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006CEAA7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: SendString$_wcslen
                                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                        • API String ID: 2420728520-1007645807
                                                                                        • Opcode ID: 91a9139af141cd1ab0b239c065614b9254f766ae2236742fd80642192073f87b
                                                                                        • Instruction ID: acdd9b0586d9cc63720f9964d0258aeeef8c40954156cad4d884e1127e61e8d4
                                                                                        • Opcode Fuzzy Hash: 91a9139af141cd1ab0b239c065614b9254f766ae2236742fd80642192073f87b
                                                                                        • Instruction Fuzzy Hash: 84117071A902797DD720A7A1EC4AEFF6B7DEBD2B00F40042EB801A21D1EEB01945C9B0
                                                                                        Function 00678BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00678F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00678BE8,?,00000000,?,?,?,?,00678BBA,00000000,?), ref: 00678FC5
                                                                                        • DestroyWindow.USER32(?), ref: 00678C81
                                                                                        • KillTimer.USER32(00000000,?,?,?,?,00678BBA,00000000,?), ref: 00678D1B
                                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 006B6973
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00678BBA,00000000,?), ref: 006B69A1
                                                                                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00678BBA,00000000,?), ref: 006B69B8
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00678BBA,00000000), ref: 006B69D4
                                                                                        • DeleteObject.GDI32(00000000), ref: 006B69E6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                        • String ID:
                                                                                        • API String ID: 641708696-0
                                                                                        • Opcode ID: 13a870da8f38e0f27ad29eaa8256088e2b3e15590d4858ca95be56b67413506f
                                                                                        • Instruction ID: 8a89abd78d2aa12dce18e117b6ea8a5dbe9f31a4ba4191becc60ac4fa4ae2202
                                                                                        • Opcode Fuzzy Hash: 13a870da8f38e0f27ad29eaa8256088e2b3e15590d4858ca95be56b67413506f
                                                                                        • Instruction Fuzzy Hash: 12617871542604DFDB229F15CA58BA5B7B3FB40322F54852CE04A9B6A0CB39ACC1CF98
                                                                                        Function 00679838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00679944: GetWindowLongW.USER32(?,000000EB), ref: 00679952
                                                                                        • GetSysColor.USER32(0000000F), ref: 00679862
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ColorLongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 259745315-0
                                                                                        • Opcode ID: 640ff9d3848806e669074ef95d87e8443103176475ffa5d1cd43a14361b41a6a
                                                                                        • Instruction ID: c7da53652208397931a8dfbe899c96eb135e33f945ec9ebcce74ec0ff3108eed
                                                                                        • Opcode Fuzzy Hash: 640ff9d3848806e669074ef95d87e8443103176475ffa5d1cd43a14361b41a6a
                                                                                        • Instruction Fuzzy Hash: 184191711046449FDB209F389C84BF93BA7AB47331F188B55F9A68B2E1C7319C52DB21
                                                                                        Function 00698D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .h
                                                                                        • API String ID: 0-3939481508
                                                                                        • Opcode ID: 996d5e5e407ab48901c98f0efab1f3b5d5c7194a91dc2a759c3ccda7633dc05d
                                                                                        • Instruction ID: 9e6f22e0fd6228e0fe0353fb384a6073522870d0659bad264da883578c6b7d60
                                                                                        • Opcode Fuzzy Hash: 996d5e5e407ab48901c98f0efab1f3b5d5c7194a91dc2a759c3ccda7633dc05d
                                                                                        • Instruction Fuzzy Hash: A9C1D075904249AFDF11EFACC851BEDBBBAAF0A310F04419DE424A7792C7349A42CB75
                                                                                        Function 006C96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,006AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 006C9717
                                                                                        • LoadStringW.USER32(00000000,?,006AF7F8,00000001), ref: 006C9720
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,006AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 006C9742
                                                                                        • LoadStringW.USER32(00000000,?,006AF7F8,00000001), ref: 006C9745
                                                                                        • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 006C9866
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModuleString$Message_wcslen
                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                        • API String ID: 747408836-2268648507
                                                                                        • Opcode ID: 2ad3c6ab6221025fb22dbac000e264452f49ea463e4a7e6e303a6c674813576d
                                                                                        • Instruction ID: 80861d53c716062fd92df9d571a8e6329b886e5eaf657d5499f8f701a81738df
                                                                                        • Opcode Fuzzy Hash: 2ad3c6ab6221025fb22dbac000e264452f49ea463e4a7e6e303a6c674813576d
                                                                                        • Instruction Fuzzy Hash: 16413C72800219AADB44FBE0DE46EFE777AEF15740F20042DB50572192EA356F49CB75
                                                                                        Function 006C06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00666B57: _wcslen.LIBCMT ref: 00666B6A
                                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006C07A2
                                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006C07BE
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006C07DA
                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 006C0804
                                                                                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 006C082C
                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006C0837
                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006C083C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                        • API String ID: 323675364-22481851
                                                                                        • Opcode ID: 8ffd4addc01252f0a920e9bbe41772982461a3e23cbf5996a139b6ff94c2d363
                                                                                        • Instruction ID: ffa8f4b78d53d78eb825b59fce957e0069d925db3c56ac964eb336601b901950
                                                                                        • Opcode Fuzzy Hash: 8ffd4addc01252f0a920e9bbe41772982461a3e23cbf5996a139b6ff94c2d363
                                                                                        • Instruction Fuzzy Hash: 4741C372810229ABDF15EBA4DC95DFDB77AFF14750B144129E901B3261EB70AE44CBA0
                                                                                        Function 006E3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 006E3C5C
                                                                                        • CoInitialize.OLE32(00000000), ref: 006E3C8A
                                                                                        • CoUninitialize.OLE32 ref: 006E3C94
                                                                                        • _wcslen.LIBCMT ref: 006E3D2D
                                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 006E3DB1
                                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 006E3ED5
                                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 006E3F0E
                                                                                        • CoGetObject.OLE32(?,00000000,006FFB98,?), ref: 006E3F2D
                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 006E3F40
                                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006E3FC4
                                                                                        • VariantClear.OLEAUT32(?), ref: 006E3FD8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 429561992-0
                                                                                        • Opcode ID: 5f2eec88f8794532493318bc7b1b7f25508e63090eab34eb60234deb0f983b2a
                                                                                        • Instruction ID: ad10c92c89c4ca5e8acfed48c012f6dabe020e4793d27bec0ebd442c8268fbcd
                                                                                        • Opcode Fuzzy Hash: 5f2eec88f8794532493318bc7b1b7f25508e63090eab34eb60234deb0f983b2a
                                                                                        • Instruction Fuzzy Hash: 1CC122716083559FD700DF69C88896ABBEAEF89744F10491DF98A9B310DB31EE06CB52
                                                                                        Function 006D7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 006D7AF3
                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006D7B8F
                                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 006D7BA3
                                                                                        • CoCreateInstance.OLE32(006FFD08,00000000,00000001,00726E6C,?), ref: 006D7BEF
                                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006D7C74
                                                                                        • CoTaskMemFree.OLE32(?,?), ref: 006D7CCC
                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 006D7D57
                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006D7D7A
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 006D7D81
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 006D7DD6
                                                                                        • CoUninitialize.OLE32 ref: 006D7DDC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                        • String ID:
                                                                                        • API String ID: 2762341140-0
                                                                                        • Opcode ID: 893b176d411307edef700c5e6815f58f4e1bf8016197b65d1fd2ae7e562f7043
                                                                                        • Instruction ID: b4ef5313bbbe6fecf2e9d488b42314dd00d57426fb8d8b63fc3c5088502e4d82
                                                                                        • Opcode Fuzzy Hash: 893b176d411307edef700c5e6815f58f4e1bf8016197b65d1fd2ae7e562f7043
                                                                                        • Instruction Fuzzy Hash: 95C10B75A04109AFCB14DFA4C884DAEBBFAFF48314B148499E81ADB361D730EE45CB91
                                                                                        Function 006F541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006F5504
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006F5515
                                                                                        • CharNextW.USER32(00000158), ref: 006F5544
                                                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006F5585
                                                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006F559B
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006F55AC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CharNext
                                                                                        • String ID:
                                                                                        • API String ID: 1350042424-0
                                                                                        • Opcode ID: 57b02550469ebd1bad5d701cd78af5f010e1151a010264e19842523055308be3
                                                                                        • Instruction ID: e33835266cedb8aab252c2ebdf800728b3e327a547dae6f0c17b0dbd831e8438
                                                                                        • Opcode Fuzzy Hash: 57b02550469ebd1bad5d701cd78af5f010e1151a010264e19842523055308be3
                                                                                        • Instruction Fuzzy Hash: E7615D7490460CABDF109F54CD84AFE7BBAEB05721F108149FB26AA290D7749E81DB61
                                                                                        Function 006BFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006BFAAF
                                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 006BFB08
                                                                                        • VariantInit.OLEAUT32(?), ref: 006BFB1A
                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 006BFB3A
                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 006BFB8D
                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 006BFBA1
                                                                                        • VariantClear.OLEAUT32(?), ref: 006BFBB6
                                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 006BFBC3
                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006BFBCC
                                                                                        • VariantClear.OLEAUT32(?), ref: 006BFBDE
                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006BFBE9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                        • String ID:
                                                                                        • API String ID: 2706829360-0
                                                                                        • Opcode ID: ccf6254f15589dd1d859594dd67d97597602d5210b2f95c3ea251715c8870b6b
                                                                                        • Instruction ID: a05ae84e6cb310d3ed4128045548034031a608fbf9e59ee05503aafff71afb0f
                                                                                        • Opcode Fuzzy Hash: ccf6254f15589dd1d859594dd67d97597602d5210b2f95c3ea251715c8870b6b
                                                                                        • Instruction Fuzzy Hash: 1C413E75A00219DFCB04DFA8CC549FEBBBAFF48354F008469E945A7261CB70A985CBA0
                                                                                        Function 006C9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?), ref: 006C9CA1
                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 006C9D22
                                                                                        • GetKeyState.USER32(000000A0), ref: 006C9D3D
                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 006C9D57
                                                                                        • GetKeyState.USER32(000000A1), ref: 006C9D6C
                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 006C9D84
                                                                                        • GetKeyState.USER32(00000011), ref: 006C9D96
                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 006C9DAE
                                                                                        • GetKeyState.USER32(00000012), ref: 006C9DC0
                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 006C9DD8
                                                                                        • GetKeyState.USER32(0000005B), ref: 006C9DEA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: State$Async$Keyboard
                                                                                        • String ID:
                                                                                        • API String ID: 541375521-0
                                                                                        • Opcode ID: 83f29291fb5b372c74af959a68cf7bd83c54e459cefbe90b3d3878b350dd80cb
                                                                                        • Instruction ID: e92af7a4fdc9c76ed4d48a2557f89ad5cddee2435c62811f12f5b2a27e55f4bc
                                                                                        • Opcode Fuzzy Hash: 83f29291fb5b372c74af959a68cf7bd83c54e459cefbe90b3d3878b350dd80cb
                                                                                        • Instruction Fuzzy Hash: 3441B574504BC96DFF3096609408BF5BEA2EF21344F04905ED6C7667C2DBA4A9C8C7B2
                                                                                        Function 006E055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 006E05BC
                                                                                        • inet_addr.WSOCK32(?), ref: 006E061C
                                                                                        • gethostbyname.WSOCK32(?), ref: 006E0628
                                                                                        • IcmpCreateFile.IPHLPAPI ref: 006E0636
                                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006E06C6
                                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006E06E5
                                                                                        • IcmpCloseHandle.IPHLPAPI(?), ref: 006E07B9
                                                                                        • WSACleanup.WSOCK32 ref: 006E07BF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                        • String ID: Ping
                                                                                        • API String ID: 1028309954-2246546115
                                                                                        • Opcode ID: e9681726cb49f806173221fbb5bd46f147fecc67fa143c2b24272bafc1abe78c
                                                                                        • Instruction ID: 8ae88029725d3e4362ac8b1909a6eab0f70eae875f929625d2d27c3e26dff03b
                                                                                        • Opcode Fuzzy Hash: e9681726cb49f806173221fbb5bd46f147fecc67fa143c2b24272bafc1abe78c
                                                                                        • Instruction Fuzzy Hash: E491AF356053419FE720DF16C588F5ABBE2AF44318F1485A9F4698B7A2C7B0EC85CF91
                                                                                        Function 006E8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$BuffCharLower
                                                                                        • String ID: cdecl$none$stdcall$winapi
                                                                                        • API String ID: 707087890-567219261
                                                                                        • Opcode ID: 8215839d4f950f4787036f821a8f0efc1942edcf73c6c7b842619cc911c3353c
                                                                                        • Instruction ID: 717fe795f2c94538d06feafeedc05b55642363c0eed72dcf6be85956e9d7ab2a
                                                                                        • Opcode Fuzzy Hash: 8215839d4f950f4787036f821a8f0efc1942edcf73c6c7b842619cc911c3353c
                                                                                        • Instruction Fuzzy Hash: A8519E31A016569FCB24DF69C9409FEB7A7BF64320B204229E82AE73C4DB35DD41CB90
                                                                                        Function 006E372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32 ref: 006E3774
                                                                                        • CoUninitialize.OLE32 ref: 006E377F
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,006FFB78,?), ref: 006E37D9
                                                                                        • IIDFromString.OLE32(?,?), ref: 006E384C
                                                                                        • VariantInit.OLEAUT32(?), ref: 006E38E4
                                                                                        • VariantClear.OLEAUT32(?), ref: 006E3936
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                        • API String ID: 636576611-1287834457
                                                                                        • Opcode ID: 19dc1dcb1a57c88a7f657b0ab052d8b63b1a65b1bba29903091d24cf0eb1cea1
                                                                                        • Instruction ID: 91425c4aff19281584f19cadfd61f1127f8550b4f178163b9888a01a7e8f6abe
                                                                                        • Opcode Fuzzy Hash: 19dc1dcb1a57c88a7f657b0ab052d8b63b1a65b1bba29903091d24cf0eb1cea1
                                                                                        • Instruction Fuzzy Hash: 0461AC70609361AFD710DF55C948BAABBEAEF48714F00080DF8859B391D770EE49CB96
                                                                                        Function 006F8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00679BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00679BB2
                                                                                          • Part of subcall function 0067912D: GetCursorPos.USER32(?), ref: 00679141
                                                                                          • Part of subcall function 0067912D: ScreenToClient.USER32(00000000,?), ref: 0067915E
                                                                                          • Part of subcall function 0067912D: GetAsyncKeyState.USER32(00000001), ref: 00679183
                                                                                          • Part of subcall function 0067912D: GetAsyncKeyState.USER32(00000002), ref: 0067919D
                                                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 006F8B6B
                                                                                        • ImageList_EndDrag.COMCTL32 ref: 006F8B71
                                                                                        • ReleaseCapture.USER32 ref: 006F8B77
                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 006F8C12
                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006F8C25
                                                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 006F8CFF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#s
                                                                                        • API String ID: 1924731296-3045788843
                                                                                        • Opcode ID: 56143ccd0a800ff1a198946fda57eee490226d1dde3c6af5682a7597b7453c71
                                                                                        • Instruction ID: ba24c817aef6f85d99bcf7f4501c1c61ede5466af93cea5643bada35a150288e
                                                                                        • Opcode Fuzzy Hash: 56143ccd0a800ff1a198946fda57eee490226d1dde3c6af5682a7597b7453c71
                                                                                        • Instruction Fuzzy Hash: C7518C70204208AFE704DF24DD56BBA77E6FB88710F40062DFA56972E1CB74A904CB66
                                                                                        Function 006D3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006D33CF
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006D33F0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString$_wcslen
                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                        • API String ID: 4099089115-3080491070
                                                                                        • Opcode ID: e229d12fccd692af15a05d97fd700211a0721f3bba35521bfe47daff924eb18f
                                                                                        • Instruction ID: 6df5922c4e5c294da686dc17a01234d2ef27b1d9429a4f658c7e70ef5e39ea72
                                                                                        • Opcode Fuzzy Hash: e229d12fccd692af15a05d97fd700211a0721f3bba35521bfe47daff924eb18f
                                                                                        • Instruction Fuzzy Hash: 3351AF71C00219AADF54EBA0DE46EFEB77AEF14300F10406AF50572292EB352F58DB65
                                                                                        Function 006CB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                        • API String ID: 1256254125-769500911
                                                                                        • Opcode ID: 8d593aad25d9ebc490cde3feb1b7f71f4534171d5b1f66102dda5a8b689c6325
                                                                                        • Instruction ID: 52073db320d7a6d4d8c9b5afe0ad7b951482fef1b0e94f033b114b4486308c39
                                                                                        • Opcode Fuzzy Hash: 8d593aad25d9ebc490cde3feb1b7f71f4534171d5b1f66102dda5a8b689c6325
                                                                                        • Instruction Fuzzy Hash: 1D41B732A000279ACB206F7EC992AFE77A7EB61754F24522EE465D7384E735CD81C790
                                                                                        Function 006D5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 006D53A0
                                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006D5416
                                                                                        • GetLastError.KERNEL32 ref: 006D5420
                                                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 006D54A7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                        • API String ID: 4194297153-14809454
                                                                                        • Opcode ID: 57a1473fda24c376947c5eaaa85754ddef2e9517facc74f09b878ab67600971b
                                                                                        • Instruction ID: 9816f9221b3d0374778e4b79af37b091d799fbfa29913755a4a99c95f0b117d6
                                                                                        • Opcode Fuzzy Hash: 57a1473fda24c376947c5eaaa85754ddef2e9517facc74f09b878ab67600971b
                                                                                        • Instruction Fuzzy Hash: BE318F35E006089FCB10DF68C584AEA7BF6EF45305F14806AE406DB792DB71DD86CB92
                                                                                        Function 006F3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateMenu.USER32 ref: 006F3C79
                                                                                        • SetMenu.USER32(?,00000000), ref: 006F3C88
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F3D10
                                                                                        • IsMenu.USER32(?), ref: 006F3D24
                                                                                        • CreatePopupMenu.USER32 ref: 006F3D2E
                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006F3D5B
                                                                                        • DrawMenuBar.USER32 ref: 006F3D63
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                        • String ID: 0$F
                                                                                        • API String ID: 161812096-3044882817
                                                                                        • Opcode ID: a3150b2d52612a2db0af009806d9d381405bbe9b5a5712b8ace6e240955518d7
                                                                                        • Instruction ID: 2dd26358d7ff4d61e30d2ba29b47dbef1c9146cc67a58aef35fe49316e664525
                                                                                        • Opcode Fuzzy Hash: a3150b2d52612a2db0af009806d9d381405bbe9b5a5712b8ace6e240955518d7
                                                                                        • Instruction Fuzzy Hash: 6A416779A0121DEFDB14DFA4D994AEA7BB6FF49350F140028FA46A7360D730AA14CF94
                                                                                        Function 006F3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006F3A9D
                                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006F3AA0
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 006F3AC7
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006F3AEA
                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006F3B62
                                                                                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 006F3BAC
                                                                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 006F3BC7
                                                                                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 006F3BE2
                                                                                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 006F3BF6
                                                                                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 006F3C13
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$LongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 312131281-0
                                                                                        • Opcode ID: d7cb542c4ac59a4a6d88c5e744181885b001c72e6fd8f8c7e10630b8b806916e
                                                                                        • Instruction ID: 0d736efbed88b01e24a9a75963f63c459ed10d61c76b075d8327c4c9ba557919
                                                                                        • Opcode Fuzzy Hash: d7cb542c4ac59a4a6d88c5e744181885b001c72e6fd8f8c7e10630b8b806916e
                                                                                        • Instruction Fuzzy Hash: 39618875A00258AFDB10DFA8CC81EFE77B9EB09310F104099FA05AB3A1C774AA42DB54
                                                                                        Function 006CB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 006CB151
                                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,006CA1E1,?,00000001), ref: 006CB165
                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 006CB16C
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006CA1E1,?,00000001), ref: 006CB17B
                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 006CB18D
                                                                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,006CA1E1,?,00000001), ref: 006CB1A6
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006CA1E1,?,00000001), ref: 006CB1B8
                                                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006CA1E1,?,00000001), ref: 006CB1FD
                                                                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,006CA1E1,?,00000001), ref: 006CB212
                                                                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,006CA1E1,?,00000001), ref: 006CB21D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                        • String ID:
                                                                                        • API String ID: 2156557900-0
                                                                                        • Opcode ID: 28997fc24d07660ee4243e580ca1174de06ab87e6056525edc005074e3dfd8d9
                                                                                        • Instruction ID: 92106427006c11827fed3fd406181c5d83e8349408de8c9221f29f261ac324ae
                                                                                        • Opcode Fuzzy Hash: 28997fc24d07660ee4243e580ca1174de06ab87e6056525edc005074e3dfd8d9
                                                                                        • Instruction Fuzzy Hash: 8D318071500208AFEB249F24DD4AFBD7BABFB51322F14A019F901DA290D7B89E40CF65
                                                                                        Function 00692C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 00692C94
                                                                                          • Part of subcall function 006929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000), ref: 006929DE
                                                                                          • Part of subcall function 006929C8: GetLastError.KERNEL32(00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000,00000000), ref: 006929F0
                                                                                        • _free.LIBCMT ref: 00692CA0
                                                                                        • _free.LIBCMT ref: 00692CAB
                                                                                        • _free.LIBCMT ref: 00692CB6
                                                                                        • _free.LIBCMT ref: 00692CC1
                                                                                        • _free.LIBCMT ref: 00692CCC
                                                                                        • _free.LIBCMT ref: 00692CD7
                                                                                        • _free.LIBCMT ref: 00692CE2
                                                                                        • _free.LIBCMT ref: 00692CED
                                                                                        • _free.LIBCMT ref: 00692CFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: ccf0c9b8a02112f9e884c3addd346ce9990ca063aa94deb564cdd004157a58ca
                                                                                        • Instruction ID: 8909205e05ea2cc747729d3f77899a1a83c01f4a1e26fbf4df4e43270f128387
                                                                                        • Opcode Fuzzy Hash: ccf0c9b8a02112f9e884c3addd346ce9990ca063aa94deb564cdd004157a58ca
                                                                                        • Instruction Fuzzy Hash: DF11D776100109BFCF42EF55D852CDD3BAAFF05750F4144A8F9485FA22D631EE509B94
                                                                                        Function 00661410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00661459
                                                                                        • OleUninitialize.OLE32(?,00000000), ref: 006614F8
                                                                                        • UnregisterHotKey.USER32(?), ref: 006616DD
                                                                                        • DestroyWindow.USER32(?), ref: 006A24B9
                                                                                        • FreeLibrary.KERNEL32(?), ref: 006A251E
                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006A254B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                        • String ID: close all
                                                                                        • API String ID: 469580280-3243417748
                                                                                        • Opcode ID: bb7324520c79b1c3a195ec445fbd69b212da5a1a3787f90d3a9ee979384adccc
                                                                                        • Instruction ID: adb5fd5f5edab60a22dbd3c3aa44bbe7ffd8857298ef00f3999067748d4002be
                                                                                        • Opcode Fuzzy Hash: bb7324520c79b1c3a195ec445fbd69b212da5a1a3787f90d3a9ee979384adccc
                                                                                        • Instruction Fuzzy Hash: 5BD1A031B01212CFCB19EF19C5A5A69F7A6BF06710F18819DE84AAB351DB30ED12CF54
                                                                                        Function 00665BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00665C7A
                                                                                          • Part of subcall function 00665D0A: GetClientRect.USER32(?,?), ref: 00665D30
                                                                                          • Part of subcall function 00665D0A: GetWindowRect.USER32(?,?), ref: 00665D71
                                                                                          • Part of subcall function 00665D0A: ScreenToClient.USER32(?,?), ref: 00665D99
                                                                                        • GetDC.USER32 ref: 006A46F5
                                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006A4708
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 006A4716
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 006A472B
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 006A4733
                                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006A47C4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                        • String ID: U
                                                                                        • API String ID: 4009187628-3372436214
                                                                                        • Opcode ID: 6e016f9639a4aae1919c2878f160fa97db3c9998a4122a4278d18a6c6e7cbb11
                                                                                        • Instruction ID: 6a08eea6c2ca597eda099a5e062e34296bece89a80b6a35e49a383adf22247eb
                                                                                        • Opcode Fuzzy Hash: 6e016f9639a4aae1919c2878f160fa97db3c9998a4122a4278d18a6c6e7cbb11
                                                                                        • Instruction Fuzzy Hash: A171BA30400249DFCF21AF64CD85AFA7BA3EF8A321F144269E9565A2A6CB71DC42DF50
                                                                                        Function 006D359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006D35E4
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        • LoadStringW.USER32(00732390,?,00000FFF,?), ref: 006D360A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString$_wcslen
                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                        • API String ID: 4099089115-2391861430
                                                                                        • Opcode ID: ff28bd9b9a5893f38d46b4bdc0740a600177de169bc9800f8808e32eda4a7406
                                                                                        • Instruction ID: 2649db11e68ffac7afc7ace632354c94f4112b9f25720e9af0c78d8d5d2e02ec
                                                                                        • Opcode Fuzzy Hash: ff28bd9b9a5893f38d46b4bdc0740a600177de169bc9800f8808e32eda4a7406
                                                                                        • Instruction Fuzzy Hash: 9B519071C00269BADF54EBA0DD42EEEBB7AEF14300F144129F505722A1DB305B99DFA9
                                                                                        Function 006DC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006DC272
                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006DC29A
                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006DC2CA
                                                                                        • GetLastError.KERNEL32 ref: 006DC322
                                                                                        • SetEvent.KERNEL32(?), ref: 006DC336
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 006DC341
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                        • String ID:
                                                                                        • API String ID: 3113390036-3916222277
                                                                                        • Opcode ID: 5f85184ca608e0cb337b91ef15fdb0be7d00ddc428185751ab19fc90c73dda8d
                                                                                        • Instruction ID: 19e73a994796acb4d83ade7cf86cc0ec06a46e48751333bf463ac870bafa2bc3
                                                                                        • Opcode Fuzzy Hash: 5f85184ca608e0cb337b91ef15fdb0be7d00ddc428185751ab19fc90c73dda8d
                                                                                        • Instruction Fuzzy Hash: 98316BB1A0020DAFDB21AF658988ABB7BFEEB49764B10851EF44692300DB30DD05DB60
                                                                                        Function 006C989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006A3AAF,?,?,Bad directive syntax error,006FCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006C98BC
                                                                                        • LoadStringW.USER32(00000000,?,006A3AAF,?), ref: 006C98C3
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006C9987
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadMessageModuleString_wcslen
                                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                        • API String ID: 858772685-4153970271
                                                                                        • Opcode ID: 039962fb95f70902577f34d3b2b1dfd5ed839abde2e055f56e8e797b7d730e7a
                                                                                        • Instruction ID: 748b18d023d5cf2bed858d9f20793168d8863242cfe31714912d61e13084f365
                                                                                        • Opcode Fuzzy Hash: 039962fb95f70902577f34d3b2b1dfd5ed839abde2e055f56e8e797b7d730e7a
                                                                                        • Instruction Fuzzy Hash: 0C215C7180026AABCF15AF90CC0AEFE777AFF18700F04445EB515661A2EA359A18DB24
                                                                                        Function 006C209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32 ref: 006C20AB
                                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 006C20C0
                                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006C214D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameParentSend
                                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                        • API String ID: 1290815626-3381328864
                                                                                        • Opcode ID: b07288118be2a40f20bdab421dd1619ab8d3cadc3b6c1c45237d8dba66f39358
                                                                                        • Instruction ID: 690da26c9a14e734825872f299121aa63727825af9ead09eab75598a6cd29903
                                                                                        • Opcode Fuzzy Hash: b07288118be2a40f20bdab421dd1619ab8d3cadc3b6c1c45237d8dba66f39358
                                                                                        • Instruction Fuzzy Hash: 5E110AB6688717B9F6053620EC16EF6379ECF05324B20012EFF04A55D5EE7558425A18
                                                                                        Function 0069CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                        • String ID:
                                                                                        • API String ID: 1282221369-0
                                                                                        • Opcode ID: d6450e4c7c576bfcc2aa1e5ff5d1ccd0018f3ceb8df5f07109ef26edc6fba363
                                                                                        • Instruction ID: e3e234f95c5719727c7f6f0c46181fcc762c40db957ec2387c9179e763f8b75d
                                                                                        • Opcode Fuzzy Hash: d6450e4c7c576bfcc2aa1e5ff5d1ccd0018f3ceb8df5f07109ef26edc6fba363
                                                                                        • Instruction Fuzzy Hash: CA6127B1A04301AFDF21AFB898A1AAA7BEFEF05370F04416DF94597B81D7359D018794
                                                                                        Function 006F50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 006F5186
                                                                                        • ShowWindow.USER32(?,00000000), ref: 006F51C7
                                                                                        • ShowWindow.USER32(?,00000005,?,00000000), ref: 006F51CD
                                                                                        • SetFocus.USER32(?,?,00000005,?,00000000), ref: 006F51D1
                                                                                          • Part of subcall function 006F6FBA: DeleteObject.GDI32(00000000), ref: 006F6FE6
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 006F520D
                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 006F521A
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006F524D
                                                                                        • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 006F5287
                                                                                        • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 006F5296
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                        • String ID:
                                                                                        • API String ID: 3210457359-0
                                                                                        • Opcode ID: d4945f2a2ea49def95afec8a1a7beb009abcb2a886519236895546db84b38908
                                                                                        • Instruction ID: b035be9b59031a78cc3f0b45f156c3bb5ddec9f3239c0417ceccc410a6e4c27a
                                                                                        • Opcode Fuzzy Hash: d4945f2a2ea49def95afec8a1a7beb009abcb2a886519236895546db84b38908
                                                                                        • Instruction Fuzzy Hash: FD517030A50A0CBEEF249F28CC46BF93B67AF05321F148215F716962E0C775AE91DB55
                                                                                        Function 00678B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 006B6890
                                                                                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006B68A9
                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006B68B9
                                                                                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006B68D1
                                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006B68F2
                                                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00678874,00000000,00000000,00000000,000000FF,00000000), ref: 006B6901
                                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006B691E
                                                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00678874,00000000,00000000,00000000,000000FF,00000000), ref: 006B692D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 1268354404-0
                                                                                        • Opcode ID: a8526d5d35ff594ffc04a1e61d037680e094c88b39d55ac2b20d973e914e4b37
                                                                                        • Instruction ID: 497d00025ddc89b52819875d55f57fa703b20f747c87043bc4b3c49cfa1e3929
                                                                                        • Opcode Fuzzy Hash: a8526d5d35ff594ffc04a1e61d037680e094c88b39d55ac2b20d973e914e4b37
                                                                                        • Instruction Fuzzy Hash: 2A518BB0600209EFDB20DF25CC55FAA7BB6FB58760F108528F90A972A0DB74ED91DB50
                                                                                        Function 006DC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006DC182
                                                                                        • GetLastError.KERNEL32 ref: 006DC195
                                                                                        • SetEvent.KERNEL32(?), ref: 006DC1A9
                                                                                          • Part of subcall function 006DC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006DC272
                                                                                          • Part of subcall function 006DC253: GetLastError.KERNEL32 ref: 006DC322
                                                                                          • Part of subcall function 006DC253: SetEvent.KERNEL32(?), ref: 006DC336
                                                                                          • Part of subcall function 006DC253: InternetCloseHandle.WININET(00000000), ref: 006DC341
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                        • String ID:
                                                                                        • API String ID: 337547030-0
                                                                                        • Opcode ID: 2312fb8998ac205ab5e82fa1356c8aaf12eb04599deaf2c31b6ad4cce9302224
                                                                                        • Instruction ID: f257e380e821aaa76dd56b74d05db28080e1c6cde707c53971f68f028aaa667e
                                                                                        • Opcode Fuzzy Hash: 2312fb8998ac205ab5e82fa1356c8aaf12eb04599deaf2c31b6ad4cce9302224
                                                                                        • Instruction Fuzzy Hash: AB318D71A0060AAFDB219FA5DD44AB6BBFBFF58320B10441EF95682710D731EA15DBA0
                                                                                        Function 006C25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006C3A57
                                                                                          • Part of subcall function 006C3A3D: GetCurrentThreadId.KERNEL32 ref: 006C3A5E
                                                                                          • Part of subcall function 006C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006C25B3), ref: 006C3A65
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 006C25BD
                                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006C25DB
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006C25DF
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 006C25E9
                                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006C2601
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 006C2605
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 006C260F
                                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006C2623
                                                                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 006C2627
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2014098862-0
                                                                                        • Opcode ID: fa53987b71b23c76ebcaff2cdb4dbf3d9ddd7b3b637a3a16a28c968c3b5a9dce
                                                                                        • Instruction ID: 3c219b6a628840ad1bcd82059d6e089f035be7698b4c9a43f4041662418d57ac
                                                                                        • Opcode Fuzzy Hash: fa53987b71b23c76ebcaff2cdb4dbf3d9ddd7b3b637a3a16a28c968c3b5a9dce
                                                                                        • Instruction Fuzzy Hash: 8801D430394224BBFB106769DC8AF6A3F5ADF4EB22F101009F318AF1D1C9F26454DA69
                                                                                        Function 006C1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,006C1449,?,?,00000000), ref: 006C180C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,006C1449,?,?,00000000), ref: 006C1813
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006C1449,?,?,00000000), ref: 006C1828
                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,006C1449,?,?,00000000), ref: 006C1830
                                                                                        • DuplicateHandle.KERNEL32(00000000,?,006C1449,?,?,00000000), ref: 006C1833
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006C1449,?,?,00000000), ref: 006C1843
                                                                                        • GetCurrentProcess.KERNEL32(006C1449,00000000,?,006C1449,?,?,00000000), ref: 006C184B
                                                                                        • DuplicateHandle.KERNEL32(00000000,?,006C1449,?,?,00000000), ref: 006C184E
                                                                                        • CreateThread.KERNEL32(00000000,00000000,006C1874,00000000,00000000,00000000), ref: 006C1868
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 1957940570-0
                                                                                        • Opcode ID: d5edad169dd28f9a56760f240e1a1d4b06fef3004323df99eeecdd5e1332c437
                                                                                        • Instruction ID: f27559974c492abcc3df17271b41b80274e7f226f8ee6e365f5be5f000833cae
                                                                                        • Opcode Fuzzy Hash: d5edad169dd28f9a56760f240e1a1d4b06fef3004323df99eeecdd5e1332c437
                                                                                        • Instruction Fuzzy Hash: F801BBB5240708BFE710EBA5DD4DF6B3BADEB8AB11F015411FA05DB1A2CA709810DB60
                                                                                        Function 006EA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006CD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 006CD501
                                                                                          • Part of subcall function 006CD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 006CD50F
                                                                                          • Part of subcall function 006CD4DC: CloseHandle.KERNEL32(00000000), ref: 006CD5DC
                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006EA16D
                                                                                        • GetLastError.KERNEL32 ref: 006EA180
                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006EA1B3
                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 006EA268
                                                                                        • GetLastError.KERNEL32(00000000), ref: 006EA273
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 006EA2C4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                        • String ID: SeDebugPrivilege
                                                                                        • API String ID: 2533919879-2896544425
                                                                                        • Opcode ID: f301e86fb30704f0847496712c3df8607ca7cd97329c762fa90a45b9385f34ca
                                                                                        • Instruction ID: c1dd04b18d24010d77c68ea831ff1f2b67fb8e4f3ab85b96867ab2638f328242
                                                                                        • Opcode Fuzzy Hash: f301e86fb30704f0847496712c3df8607ca7cd97329c762fa90a45b9385f34ca
                                                                                        • Instruction Fuzzy Hash: 81619A302053829FD720DF59C494F66BBE2AF44318F18849CE5669BBA3C772ED45CB92
                                                                                        Function 006F3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006F3925
                                                                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 006F393A
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006F3954
                                                                                        • _wcslen.LIBCMT ref: 006F3999
                                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 006F39C6
                                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 006F39F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window_wcslen
                                                                                        • String ID: SysListView32
                                                                                        • API String ID: 2147712094-78025650
                                                                                        • Opcode ID: b6ea3aa8681974a4231117aae635d4c0a9e05d00cc16beb8724304dd6474b355
                                                                                        • Instruction ID: 551b89725854b5e0349a468cf6efd33dbcbc56c40363dad893fff533f0f11fd9
                                                                                        • Opcode Fuzzy Hash: b6ea3aa8681974a4231117aae635d4c0a9e05d00cc16beb8724304dd6474b355
                                                                                        • Instruction Fuzzy Hash: E3417571A0021DABEF219F64CC45BFA77AAEF08350F10052AFA58E7391D7B59D84CB94
                                                                                        Function 006CBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006CBCFD
                                                                                        • IsMenu.USER32(00000000), ref: 006CBD1D
                                                                                        • CreatePopupMenu.USER32 ref: 006CBD53
                                                                                        • GetMenuItemCount.USER32(00C84D10), ref: 006CBDA4
                                                                                        • InsertMenuItemW.USER32(00C84D10,?,00000001,00000030), ref: 006CBDCC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                        • String ID: 0$2
                                                                                        • API String ID: 93392585-3793063076
                                                                                        • Opcode ID: 05e102344d809c2eab9ce2ec72a8865637973f4f494f31337530ce366b12dc07
                                                                                        • Instruction ID: a1976e2b2493195cfe7e0002b019dfdf37e33aaa19a7bfce74d8f02921d2ec5c
                                                                                        • Opcode Fuzzy Hash: 05e102344d809c2eab9ce2ec72a8865637973f4f494f31337530ce366b12dc07
                                                                                        • Instruction Fuzzy Hash: 94519D70A002099BDB10DFA8D986FFEBBFAEF45324F14615DE40297390D771A945CB61
                                                                                        Function 00682D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00682D4B
                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00682D53
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00682DE1
                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00682E0C
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00682E61
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                        • String ID: &Hh$csm
                                                                                        • API String ID: 1170836740-1897021073
                                                                                        • Opcode ID: 31356c900086e747371a913e9685538b0801080b061e96ab4becb0cb2a4bb729
                                                                                        • Instruction ID: 9e791b956beaa4d9d62fd1c00ed71e94448cb815ad39628bf75953253bf6879f
                                                                                        • Opcode Fuzzy Hash: 31356c900086e747371a913e9685538b0801080b061e96ab4becb0cb2a4bb729
                                                                                        • Instruction Fuzzy Hash: 5041C474A0021AEBCF10EF68C865ADEBFB6BF44324F148259E8146B392D7759A01CBD4
                                                                                        Function 006CC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 006CC913
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconLoad
                                                                                        • String ID: blank$info$question$stop$warning
                                                                                        • API String ID: 2457776203-404129466
                                                                                        • Opcode ID: 632556bccaa16fe0454dd97f832f1047f85b7d5ace7906f43d57425820863d88
                                                                                        • Instruction ID: cd94c8fbf5d1c52b0365ec11ff00df27413f49d4bba65c6de6f8e0a7eece3f19
                                                                                        • Opcode Fuzzy Hash: 632556bccaa16fe0454dd97f832f1047f85b7d5ace7906f43d57425820863d88
                                                                                        • Instruction Fuzzy Hash: 35110D31689317BAE705AB55AC83EFB67ADDF15374B10002FF508A6382EB74DE015369
                                                                                        Function 006CED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$LocalTime
                                                                                        • String ID:
                                                                                        • API String ID: 952045576-0
                                                                                        • Opcode ID: ec285c01fccbb0826c9cd3f14f8730bde986a7109c942fdb34ef274de0520b76
                                                                                        • Instruction ID: e75eb91c842147436ec92bc1c083ffd03de33283b9617d31e77db8fa0bafa35f
                                                                                        • Opcode Fuzzy Hash: ec285c01fccbb0826c9cd3f14f8730bde986a7109c942fdb34ef274de0520b76
                                                                                        • Instruction Fuzzy Hash: 46419565C1011865CB51FBB4C88AADFB7BAEF45310F50456AF618E3162EB34E345C3E9
                                                                                        Function 0067F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006B682C,00000004,00000000,00000000), ref: 0067F953
                                                                                        • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,006B682C,00000004,00000000,00000000), ref: 006BF3D1
                                                                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006B682C,00000004,00000000,00000000), ref: 006BF454
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ShowWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1268545403-0
                                                                                        • Opcode ID: b88375b10a1bb50f9fa734895227a03046c01e200070be4ee7713c82561f75fb
                                                                                        • Instruction ID: 355691ca3010e71994e3a4034c400f52f5d87dcb2aa87558dd9cf6e5692ddbec
                                                                                        • Opcode Fuzzy Hash: b88375b10a1bb50f9fa734895227a03046c01e200070be4ee7713c82561f75fb
                                                                                        • Instruction Fuzzy Hash: F4411831208680BEC7349B2D8D88FFA7BD3AB46320F14C43CE25F56671E631A881CB51
                                                                                        Function 006F2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteObject.GDI32(00000000), ref: 006F2D1B
                                                                                        • GetDC.USER32(00000000), ref: 006F2D23
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006F2D2E
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 006F2D3A
                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006F2D76
                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006F2D87
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006F5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 006F2DC2
                                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006F2DE1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3864802216-0
                                                                                        • Opcode ID: 05a21cd5daa319d9de942d772524d22d3f1afd41b20bc83968b10db9cf2e1cc7
                                                                                        • Instruction ID: 4f638dc0f3932a4d239a9e0e7d4eca01a83a8d99217d28256e06ebe42dc99e64
                                                                                        • Opcode Fuzzy Hash: 05a21cd5daa319d9de942d772524d22d3f1afd41b20bc83968b10db9cf2e1cc7
                                                                                        • Instruction Fuzzy Hash: C0316972201618BBEB218F50CD8AFFB3BAAEF09725F044055FE08DA291C6759C51CBA4
                                                                                        Function 006C5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 2931989736-0
                                                                                        • Opcode ID: ac48ba01043ad47b2471e4d0155d7050bc803a4aa576bcde25ac5f8b5826e5c8
                                                                                        • Instruction ID: a7a94745c40cedbf930964ce2ee835e79dbeeba59bf17e8032c5d6d588a0b525
                                                                                        • Opcode Fuzzy Hash: ac48ba01043ad47b2471e4d0155d7050bc803a4aa576bcde25ac5f8b5826e5c8
                                                                                        • Instruction Fuzzy Hash: 5321CC61640A1977D61467128DA2FFB335FEF12384F54002DFE069E651FB21FD9282AD
                                                                                        Function 006E4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                                        • API String ID: 0-572801152
                                                                                        • Opcode ID: 6607e844601fb401ba9fc215e8987414f59cebaa449e8d5ca3744005a738c055
                                                                                        • Instruction ID: fe92c39e6f846ab8ae49ba3d192919016b5be68887602b918952c315f2689e9d
                                                                                        • Opcode Fuzzy Hash: 6607e844601fb401ba9fc215e8987414f59cebaa449e8d5ca3744005a738c055
                                                                                        • Instruction Fuzzy Hash: 07D1AF71A0174A9FDB10CFA9C880BEEB7B6BF48358F148069E916AB281E771DD45CB50
                                                                                        Function 006A1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006A17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006A15CE
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006A1651
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006A17FB,?,006A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006A16E4
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006A16FB
                                                                                          • Part of subcall function 00693820: RtlAllocateHeap.NTDLL(00000000,?,00731444,?,0067FDF5,?,?,0066A976,00000010,00731440,006613FC,?,006613C6,?,00661129), ref: 00693852
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006A1777
                                                                                        • __freea.LIBCMT ref: 006A17A2
                                                                                        • __freea.LIBCMT ref: 006A17AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                        • String ID:
                                                                                        • API String ID: 2829977744-0
                                                                                        • Opcode ID: 2553ddfefb6eee34ec1bf287b5c37fa4e83acbbad3eb826728ba2ea4c00c95d9
                                                                                        • Instruction ID: 434d656577604623b82c8fcb18277727e21861ab6dc8b80032ac731d8827b1df
                                                                                        • Opcode Fuzzy Hash: 2553ddfefb6eee34ec1bf287b5c37fa4e83acbbad3eb826728ba2ea4c00c95d9
                                                                                        • Instruction Fuzzy Hash: 0A91A2B1E042169ADF24AE64C991EEE7BB79F4B310F185659E802EF281E735DC41CF60
                                                                                        Function 006E4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit
                                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                        • API String ID: 2610073882-625585964
                                                                                        • Opcode ID: d0847252716638aeefda4b83b236cf6cdec924f9cdce86bd12f2418d3a5e5c4b
                                                                                        • Instruction ID: ccb8df431c1355b66070f2bba5935680812124395fd639f5dabf4deab2f611ac
                                                                                        • Opcode Fuzzy Hash: d0847252716638aeefda4b83b236cf6cdec924f9cdce86bd12f2418d3a5e5c4b
                                                                                        • Instruction Fuzzy Hash: AE91A471A01359ABDF24CFA6C844FEEB7BAEF86710F108559F505AB280DB709945CFA0
                                                                                        Function 006D1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 006D125C
                                                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 006D1284
                                                                                        • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006D12A8
                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006D12D8
                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006D135F
                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006D13C4
                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006D1430
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                        • String ID:
                                                                                        • API String ID: 2550207440-0
                                                                                        • Opcode ID: 6eef61d9b464f7d8d7304d57f54bd69f12a495e151af9124ca2146522b866815
                                                                                        • Instruction ID: b3b70cb5747a033163adbef441ac8050f7ffa1b55e97bc4d2ce3300b2c291fa4
                                                                                        • Opcode Fuzzy Hash: 6eef61d9b464f7d8d7304d57f54bd69f12a495e151af9124ca2146522b866815
                                                                                        • Instruction Fuzzy Hash: 7991C171E00209AFDB10DF98C885BBEB7B6FF46325F14442AE900EB391D7B5A941CB94
                                                                                        Function 0067948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                                        • String ID:
                                                                                        • API String ID: 3225163088-0
                                                                                        • Opcode ID: 31c2fdfe4fd4b0b1112c23957c156468ec02630692950dffee0b2bb548b283b7
                                                                                        • Instruction ID: c57304638f1a19228e0edb757e5b2ced686dcab1e719ea050853b2fefa3ea1c1
                                                                                        • Opcode Fuzzy Hash: 31c2fdfe4fd4b0b1112c23957c156468ec02630692950dffee0b2bb548b283b7
                                                                                        • Instruction Fuzzy Hash: 92912571D00219EFDB10CFA9C884AEEBBFAFF89320F148159E515B7251D775AA42CB60
                                                                                        Function 006E3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 006E396B
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 006E3A7A
                                                                                        • _wcslen.LIBCMT ref: 006E3A8A
                                                                                        • VariantClear.OLEAUT32(?), ref: 006E3C1F
                                                                                          • Part of subcall function 006D0CDF: VariantInit.OLEAUT32(00000000), ref: 006D0D1F
                                                                                          • Part of subcall function 006D0CDF: VariantCopy.OLEAUT32(?,?), ref: 006D0D28
                                                                                          • Part of subcall function 006D0CDF: VariantClear.OLEAUT32(?), ref: 006D0D34
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                        • API String ID: 4137639002-1221869570
                                                                                        • Opcode ID: 27466c2eeac8e5bde7073e3a232c1caf93adb5e7c039c9eac9765effc320a3af
                                                                                        • Instruction ID: c6a48a995d7f7ae0ef368be33fa469ba577c76763b0b40b72d5872a01761896e
                                                                                        • Opcode Fuzzy Hash: 27466c2eeac8e5bde7073e3a232c1caf93adb5e7c039c9eac9765effc320a3af
                                                                                        • Instruction Fuzzy Hash: B79188746083459FC704DF29C48496AB7E6FF88314F14886EF88A9B351DB31EE46CB96
                                                                                        Function 006E4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006C000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006BFF41,80070057,?,?,?,006C035E), ref: 006C002B
                                                                                          • Part of subcall function 006C000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006BFF41,80070057,?,?), ref: 006C0046
                                                                                          • Part of subcall function 006C000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006BFF41,80070057,?,?), ref: 006C0054
                                                                                          • Part of subcall function 006C000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006BFF41,80070057,?), ref: 006C0064
                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 006E4C51
                                                                                        • _wcslen.LIBCMT ref: 006E4D59
                                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 006E4DCF
                                                                                        • CoTaskMemFree.OLE32(?), ref: 006E4DDA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                        • String ID: NULL Pointer assignment
                                                                                        • API String ID: 614568839-2785691316
                                                                                        • Opcode ID: 4ac85e538890b8259ab9d4b802b50b5a83eef4e5e6d493f354783085ba57224b
                                                                                        • Instruction ID: 8b8ebcb234e2302aa0b183632c26ce3467b907fa2bcb9692b370fbb1fef0b343
                                                                                        • Opcode Fuzzy Hash: 4ac85e538890b8259ab9d4b802b50b5a83eef4e5e6d493f354783085ba57224b
                                                                                        • Instruction Fuzzy Hash: 05912671D0125DAFDF14DFA5C891AEEB7BABF08310F10856AE915B7241DB309A45CFA0
                                                                                        Function 006F20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenu.USER32(?), ref: 006F2183
                                                                                        • GetMenuItemCount.USER32(00000000), ref: 006F21B5
                                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006F21DD
                                                                                        • _wcslen.LIBCMT ref: 006F2213
                                                                                        • GetMenuItemID.USER32(?,?), ref: 006F224D
                                                                                        • GetSubMenu.USER32(?,?), ref: 006F225B
                                                                                          • Part of subcall function 006C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006C3A57
                                                                                          • Part of subcall function 006C3A3D: GetCurrentThreadId.KERNEL32 ref: 006C3A5E
                                                                                          • Part of subcall function 006C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006C25B3), ref: 006C3A65
                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006F22E3
                                                                                          • Part of subcall function 006CE97B: Sleep.KERNEL32 ref: 006CE9F3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 4196846111-0
                                                                                        • Opcode ID: 8866838ce6c9712f58286c42ceaa2525f9da2dfa8928f68a38929c70bb9b3fdd
                                                                                        • Instruction ID: dab24a56a1f2ba06bb1f063b816c711747648d60bb809dacb6b363f1115e414c
                                                                                        • Opcode Fuzzy Hash: 8866838ce6c9712f58286c42ceaa2525f9da2dfa8928f68a38929c70bb9b3fdd
                                                                                        • Instruction Fuzzy Hash: 56716275A00209AFCB50DFA4C851ABEB7F2EF48320F148459EA16AB341D734EE418F94
                                                                                        Function 006CAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(?), ref: 006CAEF9
                                                                                        • GetKeyboardState.USER32(?), ref: 006CAF0E
                                                                                        • SetKeyboardState.USER32(?), ref: 006CAF6F
                                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 006CAF9D
                                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 006CAFBC
                                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 006CAFFD
                                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 006CB020
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                        • String ID:
                                                                                        • API String ID: 87235514-0
                                                                                        • Opcode ID: 67c32c8bf5bf89f187b2332f2d3768bc9612063f11cd25bb53d92d4f29ea90c9
                                                                                        • Instruction ID: 69e4193eb5fce6d9765d64a5e35b6648cd5841d83e7b1e8f48f59e61a7137e32
                                                                                        • Opcode Fuzzy Hash: 67c32c8bf5bf89f187b2332f2d3768bc9612063f11cd25bb53d92d4f29ea90c9
                                                                                        • Instruction Fuzzy Hash: 5551C4A06147D93DFB3642748C4AFFA7EAA9B06308F08958DE1E5855C3C3A8ADC4D752
                                                                                        Function 006CACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(00000000), ref: 006CAD19
                                                                                        • GetKeyboardState.USER32(?), ref: 006CAD2E
                                                                                        • SetKeyboardState.USER32(?), ref: 006CAD8F
                                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006CADBB
                                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006CADD8
                                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006CAE17
                                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006CAE38
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                        • String ID:
                                                                                        • API String ID: 87235514-0
                                                                                        • Opcode ID: ec7592b04a4ce62fd1b3798484c67f07d08751b38fac00c93661e1cc800e2435
                                                                                        • Instruction ID: 5399ff8a39eac45da00a83b58bb63c73f5d5c178384691693d5badd689d7d7c5
                                                                                        • Opcode Fuzzy Hash: ec7592b04a4ce62fd1b3798484c67f07d08751b38fac00c93661e1cc800e2435
                                                                                        • Instruction Fuzzy Hash: 7151D5B15047D93DFB3243B48C55FBA7EAA9F45308F08858DE1D6869C3C294EC84E792
                                                                                        Function 0069542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetConsoleCP.KERNEL32(006A3CD6,?,?,?,?,?,?,?,?,00695BA3,?,?,006A3CD6,?,?), ref: 00695470
                                                                                        • __fassign.LIBCMT ref: 006954EB
                                                                                        • __fassign.LIBCMT ref: 00695506
                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,006A3CD6,00000005,00000000,00000000), ref: 0069552C
                                                                                        • WriteFile.KERNEL32(?,006A3CD6,00000000,00695BA3,00000000,?,?,?,?,?,?,?,?,?,00695BA3,?), ref: 0069554B
                                                                                        • WriteFile.KERNEL32(?,?,00000001,00695BA3,00000000,?,?,?,?,?,?,?,?,?,00695BA3,?), ref: 00695584
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                        • String ID:
                                                                                        • API String ID: 1324828854-0
                                                                                        • Opcode ID: f7ff12cdb2f75768311ddb124b563bb28963ed008feb2b6b375b068bd933e110
                                                                                        • Instruction ID: aa73cb286919b6526da3ef612085a7c5e2d9378cad156822c1acfdfc2de6167b
                                                                                        • Opcode Fuzzy Hash: f7ff12cdb2f75768311ddb124b563bb28963ed008feb2b6b375b068bd933e110
                                                                                        • Instruction Fuzzy Hash: D651E471A006099FDF11CFA8D841AEEBBFAEF09300F15415AF556E7392E7309A41CB60
                                                                                        Function 006E10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006E307A
                                                                                          • Part of subcall function 006E304E: _wcslen.LIBCMT ref: 006E309B
                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006E1112
                                                                                        • WSAGetLastError.WSOCK32 ref: 006E1121
                                                                                        • WSAGetLastError.WSOCK32 ref: 006E11C9
                                                                                        • closesocket.WSOCK32(00000000), ref: 006E11F9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                        • String ID:
                                                                                        • API String ID: 2675159561-0
                                                                                        • Opcode ID: 97f82db935f453ec294fa4688ac252dd07042ed4110147323a028a9c5e17dc13
                                                                                        • Instruction ID: e6bcc381fc278f422e632abd41613758b08712df9646d7b4b1a8f17d4a5df007
                                                                                        • Opcode Fuzzy Hash: 97f82db935f453ec294fa4688ac252dd07042ed4110147323a028a9c5e17dc13
                                                                                        • Instruction Fuzzy Hash: 8541F231600648AFDB109F55C884BEABBEBEF86364F148059F9169F391C770AD41CBA0
                                                                                        Function 006CCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006CCF22,?), ref: 006CDDFD
                                                                                          • Part of subcall function 006CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006CCF22,?), ref: 006CDE16
                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 006CCF45
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 006CCF7F
                                                                                        • _wcslen.LIBCMT ref: 006CD005
                                                                                        • _wcslen.LIBCMT ref: 006CD01B
                                                                                        • SHFileOperationW.SHELL32(?), ref: 006CD061
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 3164238972-1173974218
                                                                                        • Opcode ID: 79264b89d5486ce0737f672524d0af9eae088d9b63e7cb5ab8a1d2c3eb630a6a
                                                                                        • Instruction ID: 9a269e891c4c017852f52ec053008a26c2065794b37cba5aa41fcba7db1decc2
                                                                                        • Opcode Fuzzy Hash: 79264b89d5486ce0737f672524d0af9eae088d9b63e7cb5ab8a1d2c3eb630a6a
                                                                                        • Instruction Fuzzy Hash: 2F4144719052185EDF52EBA4C981FEDB7BAEF48390F0000EEE509EB141EA34A689CB54
                                                                                        Function 006F2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006F2E1C
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 006F2E4F
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 006F2E84
                                                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006F2EB6
                                                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006F2EE0
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 006F2EF1
                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006F2F0B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 2178440468-0
                                                                                        • Opcode ID: 02c95efeea3832b7115fce29850a7b29be230bac4e894b2621c6629483875ff4
                                                                                        • Instruction ID: 6899685919fc1254b21ee46ebb6bb0fc0b995a3aad08d3a6ac10626f803b1155
                                                                                        • Opcode Fuzzy Hash: 02c95efeea3832b7115fce29850a7b29be230bac4e894b2621c6629483875ff4
                                                                                        • Instruction Fuzzy Hash: FA31143064514A9FEB208F18DD94FA537E2EB4A721F2551A4FA00CF2B1CB71A841DF00
                                                                                        Function 006C7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006C7769
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006C778F
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 006C7792
                                                                                        • SysAllocString.OLEAUT32(?), ref: 006C77B0
                                                                                        • SysFreeString.OLEAUT32(?), ref: 006C77B9
                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 006C77DE
                                                                                        • SysAllocString.OLEAUT32(?), ref: 006C77EC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                        • String ID:
                                                                                        • API String ID: 3761583154-0
                                                                                        • Opcode ID: c2f22d95c4f63fc099eeae588de33b41c644fb6981554ece9cd7dca6dc2192e6
                                                                                        • Instruction ID: be9128414d00542e35a7c09dd0c8a6ef1ec69cf513e0b8b076f412f7ed2b74e0
                                                                                        • Opcode Fuzzy Hash: c2f22d95c4f63fc099eeae588de33b41c644fb6981554ece9cd7dca6dc2192e6
                                                                                        • Instruction Fuzzy Hash: 67217F7660821DAFDB10DFA8CD88DFA77AEEB097647048029F915DB250D670DC45CB74
                                                                                        Function 006C77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006C7842
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006C7868
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 006C786B
                                                                                        • SysAllocString.OLEAUT32 ref: 006C788C
                                                                                        • SysFreeString.OLEAUT32 ref: 006C7895
                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 006C78AF
                                                                                        • SysAllocString.OLEAUT32(?), ref: 006C78BD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                        • String ID:
                                                                                        • API String ID: 3761583154-0
                                                                                        • Opcode ID: a782808fa83f35ef09dffc1df626e97be51a7894693098a67b617357dc5594c3
                                                                                        • Instruction ID: 3097635766aa4a22125cba35daf52090621c383b90ca411d914c1b75ed529e83
                                                                                        • Opcode Fuzzy Hash: a782808fa83f35ef09dffc1df626e97be51a7894693098a67b617357dc5594c3
                                                                                        • Instruction Fuzzy Hash: DC214435609108BFDB10AFA8DC8DEBA77EDEB097607108139FA15CB2A1D674DC41CB64
                                                                                        Function 006D04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 006D04F2
                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006D052E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandlePipe
                                                                                        • String ID: nul
                                                                                        • API String ID: 1424370930-2873401336
                                                                                        • Opcode ID: 1a8ef03600fb674e615dbdd2b070c729a13b087ecf024c87b83a82c24b661d93
                                                                                        • Instruction ID: 0e7523305236aadc39cf5c415b63250afec6e4da8334dc141dd027a297647c6d
                                                                                        • Opcode Fuzzy Hash: 1a8ef03600fb674e615dbdd2b070c729a13b087ecf024c87b83a82c24b661d93
                                                                                        • Instruction Fuzzy Hash: B8215EB5D00305EBEB209F29E945BAA77A6AF45724F204A1AECA1D73E0D7709950DF20
                                                                                        Function 006D05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 006D05C6
                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006D0601
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandlePipe
                                                                                        • String ID: nul
                                                                                        • API String ID: 1424370930-2873401336
                                                                                        • Opcode ID: dc9cf1f2fb9a91a4e8052e1e70b8e0479025832946aceadcb1f767a8cc8fc784
                                                                                        • Instruction ID: e0daaf98d8dcea1e74551a2b8f3bb57480ab83f439a5525f9f4c7713e33a67c3
                                                                                        • Opcode Fuzzy Hash: dc9cf1f2fb9a91a4e8052e1e70b8e0479025832946aceadcb1f767a8cc8fc784
                                                                                        • Instruction Fuzzy Hash: A8215175D003459BEB209F799C04BAA77E6AF95730F200A1AF8A1E73E0D770D961CB60
                                                                                        Function 006F40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0066600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0066604C
                                                                                          • Part of subcall function 0066600E: GetStockObject.GDI32(00000011), ref: 00666060
                                                                                          • Part of subcall function 0066600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0066606A
                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006F4112
                                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006F411F
                                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006F412A
                                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006F4139
                                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006F4145
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                                        • String ID: Msctls_Progress32
                                                                                        • API String ID: 1025951953-3636473452
                                                                                        • Opcode ID: 3ea986d15074d497c73f7dd02bc740610289dd7027e094c2be9a459f6a1018bc
                                                                                        • Instruction ID: f64e1d339063a1ed5c7862adbf7bfa9553e062a6b9c53ce4c3bae21f7bd66afe
                                                                                        • Opcode Fuzzy Hash: 3ea986d15074d497c73f7dd02bc740610289dd7027e094c2be9a459f6a1018bc
                                                                                        • Instruction Fuzzy Hash: F8118EB214021DBEEB118F64CC85EF77F5EEF087A8F014110BB18A2150CA769C21DBA4
                                                                                        Function 0069D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0069D7A3: _free.LIBCMT ref: 0069D7CC
                                                                                        • _free.LIBCMT ref: 0069D82D
                                                                                          • Part of subcall function 006929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000), ref: 006929DE
                                                                                          • Part of subcall function 006929C8: GetLastError.KERNEL32(00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000,00000000), ref: 006929F0
                                                                                        • _free.LIBCMT ref: 0069D838
                                                                                        • _free.LIBCMT ref: 0069D843
                                                                                        • _free.LIBCMT ref: 0069D897
                                                                                        • _free.LIBCMT ref: 0069D8A2
                                                                                        • _free.LIBCMT ref: 0069D8AD
                                                                                        • _free.LIBCMT ref: 0069D8B8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                        • Instruction ID: 38e6aeca5e90b299740c396fd98ae14dbd70162d9a4ed0e801b8991c3c7ee200
                                                                                        • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                        • Instruction Fuzzy Hash: 26112C71540B04BADEA1BFF1CC46FCB7B9E6F00710F400829B29DAA892DA65E50546A4
                                                                                        Function 006CDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006CDA74
                                                                                        • LoadStringW.USER32(00000000), ref: 006CDA7B
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006CDA91
                                                                                        • LoadStringW.USER32(00000000), ref: 006CDA98
                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006CDADC
                                                                                        Strings
                                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 006CDAB9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModuleString$Message
                                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                                        • API String ID: 4072794657-3128320259
                                                                                        • Opcode ID: 01a3874f40131da39004cf098e179594408ff0137998d2dd54914f60d5c89eda
                                                                                        • Instruction ID: 0693f500187e543cba09dc30c665d8d735854479d2383d02d4debc645ba78e8e
                                                                                        • Opcode Fuzzy Hash: 01a3874f40131da39004cf098e179594408ff0137998d2dd54914f60d5c89eda
                                                                                        • Instruction Fuzzy Hash: 01016DF290020C7FE710EBA4DE89EFB766DEB08711F4014A6B746E2141EA749E848F74
                                                                                        Function 006D096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InterlockedExchange.KERNEL32(00C7E2C8,00C7E2C8), ref: 006D097B
                                                                                        • EnterCriticalSection.KERNEL32(00C7E2A8,00000000), ref: 006D098D
                                                                                        • TerminateThread.KERNEL32(56495244,000001F6), ref: 006D099B
                                                                                        • WaitForSingleObject.KERNEL32(56495244,000003E8), ref: 006D09A9
                                                                                        • CloseHandle.KERNEL32(56495244), ref: 006D09B8
                                                                                        • InterlockedExchange.KERNEL32(00C7E2C8,000001F6), ref: 006D09C8
                                                                                        • LeaveCriticalSection.KERNEL32(00C7E2A8), ref: 006D09CF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                        • String ID:
                                                                                        • API String ID: 3495660284-0
                                                                                        • Opcode ID: b4a20f85196b5396646d89d3ab5bb3edfd67e7ceeec8b2395dab692d5045d360
                                                                                        • Instruction ID: 3f4559a409eae0d7313da7c52f31876293d323a76c30b5899d93f9e7d45ce927
                                                                                        • Opcode Fuzzy Hash: b4a20f85196b5396646d89d3ab5bb3edfd67e7ceeec8b2395dab692d5045d360
                                                                                        • Instruction Fuzzy Hash: 6AF01D32442906ABE7415B94EF88BE67A26FF01712F403016F101948A0C7749565DF90
                                                                                        Function 006E1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006E1DC0
                                                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006E1DE1
                                                                                        • WSAGetLastError.WSOCK32 ref: 006E1DF2
                                                                                        • htons.WSOCK32(?,?,?,?,?), ref: 006E1EDB
                                                                                        • inet_ntoa.WSOCK32(?), ref: 006E1E8C
                                                                                          • Part of subcall function 006C39E8: _strlen.LIBCMT ref: 006C39F2
                                                                                          • Part of subcall function 006E3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,006DEC0C), ref: 006E3240
                                                                                        • _strlen.LIBCMT ref: 006E1F35
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                        • String ID:
                                                                                        • API String ID: 3203458085-0
                                                                                        • Opcode ID: e7d590276d64f2930f05e4cc51b643633a20ef45a6a917a9af57b8232792ce7c
                                                                                        • Instruction ID: 46bd808b2683b87b03e28af0ed6a7bcb4073f40bc75caa260c3b0d903563bae2
                                                                                        • Opcode Fuzzy Hash: e7d590276d64f2930f05e4cc51b643633a20ef45a6a917a9af57b8232792ce7c
                                                                                        • Instruction Fuzzy Hash: C5B1CF30204380AFD324DF25C895E6A7BE6AF85318F54894CF45A9F3A2DB31ED46CB91
                                                                                        Function 006901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __allrem.LIBCMT ref: 006900BA
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006900D6
                                                                                        • __allrem.LIBCMT ref: 006900ED
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0069010B
                                                                                        • __allrem.LIBCMT ref: 00690122
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00690140
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                        • String ID:
                                                                                        • API String ID: 1992179935-0
                                                                                        • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                        • Instruction ID: 4cec039e8a5bf9371cba133158c50ab1b308ef67e9781231409a79b84d06a2a6
                                                                                        • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                        • Instruction Fuzzy Hash: 2B81E576A007069FEB24AF68CC41BAA73EFAF45724F24463EF551DAB81E770D9008B54
                                                                                        Function 006961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006882D9,006882D9,?,?,?,0069644F,00000001,00000001,8BE85006), ref: 00696258
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0069644F,00000001,00000001,8BE85006,?,?,?), ref: 006962DE
                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006963D8
                                                                                        • __freea.LIBCMT ref: 006963E5
                                                                                          • Part of subcall function 00693820: RtlAllocateHeap.NTDLL(00000000,?,00731444,?,0067FDF5,?,?,0066A976,00000010,00731440,006613FC,?,006613C6,?,00661129), ref: 00693852
                                                                                        • __freea.LIBCMT ref: 006963EE
                                                                                        • __freea.LIBCMT ref: 00696413
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1414292761-0
                                                                                        • Opcode ID: d3367538f8b71623ffc7e1ad9b0bca56dcf3f42148d48431ddb52f69d77f74d8
                                                                                        • Instruction ID: 8f821aa4417562340e03f2272ee240ea91962518be52e3ce88d7ec10f178f52a
                                                                                        • Opcode Fuzzy Hash: d3367538f8b71623ffc7e1ad9b0bca56dcf3f42148d48431ddb52f69d77f74d8
                                                                                        • Instruction Fuzzy Hash: 0751CE72A00316ABEF268F64CD81EBF77AFEB44750F154629F805D6680EB34DD51C6A0
                                                                                        Function 006EBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                          • Part of subcall function 006EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006EB6AE,?,?), ref: 006EC9B5
                                                                                          • Part of subcall function 006EC998: _wcslen.LIBCMT ref: 006EC9F1
                                                                                          • Part of subcall function 006EC998: _wcslen.LIBCMT ref: 006ECA68
                                                                                          • Part of subcall function 006EC998: _wcslen.LIBCMT ref: 006ECA9E
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006EBCCA
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006EBD25
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 006EBD6A
                                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006EBD99
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 006EBDF3
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 006EBDFF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                        • String ID:
                                                                                        • API String ID: 1120388591-0
                                                                                        • Opcode ID: a82f22730aa66eaeceec102de00905374962743a012f148de7b912f736b4fd5e
                                                                                        • Instruction ID: 8b36c42c940c659a7e395425e1e1a4dde79633ecc6a10fdf91bb8d182ffcbc96
                                                                                        • Opcode Fuzzy Hash: a82f22730aa66eaeceec102de00905374962743a012f148de7b912f736b4fd5e
                                                                                        • Instruction Fuzzy Hash: 12818C30109381AFD714DF25C895E6ABBE6FF84308F14995CF4598B2A2DB31ED45CB92
                                                                                        Function 006BF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(00000035), ref: 006BF7B9
                                                                                        • SysAllocString.OLEAUT32(00000001), ref: 006BF860
                                                                                        • VariantCopy.OLEAUT32(006BFA64,00000000), ref: 006BF889
                                                                                        • VariantClear.OLEAUT32(006BFA64), ref: 006BF8AD
                                                                                        • VariantCopy.OLEAUT32(006BFA64,00000000), ref: 006BF8B1
                                                                                        • VariantClear.OLEAUT32(?), ref: 006BF8BB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCopy$AllocInitString
                                                                                        • String ID:
                                                                                        • API String ID: 3859894641-0
                                                                                        • Opcode ID: a9bc3088b0541f61f0b12b0901a729f13489f0b6e7df98b40c583b62872ac607
                                                                                        • Instruction ID: 3c7dc53f4a25a2aa92e836d657038723f30d002a5b68d22b558c5ad603d57002
                                                                                        • Opcode Fuzzy Hash: a9bc3088b0541f61f0b12b0901a729f13489f0b6e7df98b40c583b62872ac607
                                                                                        • Instruction Fuzzy Hash: 4551D871900310BACF646B65DC95BA9B3E7EF45710B20947BE905DF2A1DB708C81CB9A
                                                                                        Function 006D910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00667620: _wcslen.LIBCMT ref: 00667625
                                                                                          • Part of subcall function 00666B57: _wcslen.LIBCMT ref: 00666B6A
                                                                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 006D94E5
                                                                                        • _wcslen.LIBCMT ref: 006D9506
                                                                                        • _wcslen.LIBCMT ref: 006D952D
                                                                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 006D9585
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$FileName$OpenSave
                                                                                        • String ID: X
                                                                                        • API String ID: 83654149-3081909835
                                                                                        • Opcode ID: 965ac2d96beba29fd43114e4f5b55143454838de6fb726a402326dbf0b54987a
                                                                                        • Instruction ID: 0d52f7d045e7a417f4f26b961642c245cae3c71218c4ec2ac0a48f8bc7ed9d85
                                                                                        • Opcode Fuzzy Hash: 965ac2d96beba29fd43114e4f5b55143454838de6fb726a402326dbf0b54987a
                                                                                        • Instruction Fuzzy Hash: AFE1B531904340DFD764EF24C881A6AB7E6BF85314F14896DF8899B3A2DB31DD05CBA5
                                                                                        Function 0067920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00679BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00679BB2
                                                                                        • BeginPaint.USER32(?,?,?), ref: 00679241
                                                                                        • GetWindowRect.USER32(?,?), ref: 006792A5
                                                                                        • ScreenToClient.USER32(?,?), ref: 006792C2
                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006792D3
                                                                                        • EndPaint.USER32(?,?,?,?,?), ref: 00679321
                                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006B71EA
                                                                                          • Part of subcall function 00679339: BeginPath.GDI32(00000000), ref: 00679357
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                        • String ID:
                                                                                        • API String ID: 3050599898-0
                                                                                        • Opcode ID: 730cf408954c710a3900013c189ec5d5b892e449347fee79072649e76ddb9cb4
                                                                                        • Instruction ID: 2ff7d99010ccdc2fdf8dcca6048ad8740cd124c14bdd4d77c5e0fd14f2208ab6
                                                                                        • Opcode Fuzzy Hash: 730cf408954c710a3900013c189ec5d5b892e449347fee79072649e76ddb9cb4
                                                                                        • Instruction Fuzzy Hash: BD41B270104200AFE710DF24CC84FBA7BFAEB85331F144269F969872A2C731A945DB71
                                                                                        Function 006D07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 006D080C
                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 006D0847
                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 006D0863
                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 006D08DC
                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006D08F3
                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 006D0921
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                        • String ID:
                                                                                        • API String ID: 3368777196-0
                                                                                        • Opcode ID: e03dc700e120e13c3d27139ac5aeebca223fa607768ebaee2aaeef6b478b368f
                                                                                        • Instruction ID: a1d9712293c1d4f252a7267229c1e2c323a7d5aebc65056d6f8575700d414923
                                                                                        • Opcode Fuzzy Hash: e03dc700e120e13c3d27139ac5aeebca223fa607768ebaee2aaeef6b478b368f
                                                                                        • Instruction Fuzzy Hash: 10415C71900209EBEF14EF54DC85AAA777AFF04310F1480A9ED049E297DB70DE65DBA4
                                                                                        Function 006F81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,006BF3AB,00000000,?,?,00000000,?,006B682C,00000004,00000000,00000000), ref: 006F824C
                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 006F8272
                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 006F82D1
                                                                                        • ShowWindow.USER32(00000000,00000004), ref: 006F82E5
                                                                                        • EnableWindow.USER32(00000000,00000001), ref: 006F830B
                                                                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 006F832F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 642888154-0
                                                                                        • Opcode ID: d2ac4972d799ad626cd9adceff7c2d0931cd1d2c6378b694415277ba359ad234
                                                                                        • Instruction ID: 48a7ac3a835d35bf3c8488ae4deaeea6fe23d3d7c7b4d1bdbf9cadb559b0ebea
                                                                                        • Opcode Fuzzy Hash: d2ac4972d799ad626cd9adceff7c2d0931cd1d2c6378b694415277ba359ad234
                                                                                        • Instruction Fuzzy Hash: 9F41923060164CEFDB11CF54C899BF87BE2BB0A715F1851E9E6084B272CB31B945CB94
                                                                                        Function 006C4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindowVisible.USER32(?), ref: 006C4C95
                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006C4CB2
                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006C4CEA
                                                                                        • _wcslen.LIBCMT ref: 006C4D08
                                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006C4D10
                                                                                        • _wcsstr.LIBVCRUNTIME ref: 006C4D1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                        • String ID:
                                                                                        • API String ID: 72514467-0
                                                                                        • Opcode ID: 84095ecf8e89aad4f6a97d7caa6e36dda47a3772e77bdc86f25ff6f8b6695ae3
                                                                                        • Instruction ID: 4c26439b82080cf0dbc61d2e1f4c85603b6b7cba0b8e84c5bab953324b2f6d33
                                                                                        • Opcode Fuzzy Hash: 84095ecf8e89aad4f6a97d7caa6e36dda47a3772e77bdc86f25ff6f8b6695ae3
                                                                                        • Instruction Fuzzy Hash: AE21FC316041057BEB15AB39DD59F7B7B9EDF45760F10802DF809CA191EE61DC01D7A0
                                                                                        Function 006D581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00663AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00663A97,?,?,00662E7F,?,?,?,00000000), ref: 00663AC2
                                                                                        • _wcslen.LIBCMT ref: 006D587B
                                                                                        • CoInitialize.OLE32(00000000), ref: 006D5995
                                                                                        • CoCreateInstance.OLE32(006FFCF8,00000000,00000001,006FFB68,?), ref: 006D59AE
                                                                                        • CoUninitialize.OLE32 ref: 006D59CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                        • String ID: .lnk
                                                                                        • API String ID: 3172280962-24824748
                                                                                        • Opcode ID: 9801dd0efe97bf24b53f03071a7ab463f0be03680c5c9f234c660cf912481678
                                                                                        • Instruction ID: 35906c8b6a88b7a81db077ba155b9503b59bfab35248c701b2479d7870cffe09
                                                                                        • Opcode Fuzzy Hash: 9801dd0efe97bf24b53f03071a7ab463f0be03680c5c9f234c660cf912481678
                                                                                        • Instruction Fuzzy Hash: 49D14471A047019FC714DF24C49096ABBE6FF89724F14895EF88A9B361DB31EC45CB92
                                                                                        Function 006C175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006C0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006C0FCA
                                                                                          • Part of subcall function 006C0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006C0FD6
                                                                                          • Part of subcall function 006C0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006C0FE5
                                                                                          • Part of subcall function 006C0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006C0FEC
                                                                                          • Part of subcall function 006C0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006C1002
                                                                                        • GetLengthSid.ADVAPI32(?,00000000,006C1335), ref: 006C17AE
                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 006C17BA
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 006C17C1
                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 006C17DA
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,006C1335), ref: 006C17EE
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C17F5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                        • String ID:
                                                                                        • API String ID: 3008561057-0
                                                                                        • Opcode ID: 92d33fa9ea34ccc45817f735ebd2991c7bfae4c03255485be54c6797a59fd802
                                                                                        • Instruction ID: 702614b57b2227070154f5c18c942e4c63f30c1f0e6dbe0c1ba560c148731ff5
                                                                                        • Opcode Fuzzy Hash: 92d33fa9ea34ccc45817f735ebd2991c7bfae4c03255485be54c6797a59fd802
                                                                                        • Instruction Fuzzy Hash: 22115931500209EFDB109BA4CD49FFE7BAAEF46365F10441CE4819B211D736AA55DBA0
                                                                                        Function 006C14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006C14FF
                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 006C1506
                                                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006C1515
                                                                                        • CloseHandle.KERNEL32(00000004), ref: 006C1520
                                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006C154F
                                                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 006C1563
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                        • String ID:
                                                                                        • API String ID: 1413079979-0
                                                                                        • Opcode ID: ed6e1d9f514ea5fb50d680fe587ffd171d63df5222974dc2cceef6a8cf5bee63
                                                                                        • Instruction ID: a94d064ad6e07af22886508517f792a3b59d3deb777d5c2b7c0c295c876cfd17
                                                                                        • Opcode Fuzzy Hash: ed6e1d9f514ea5fb50d680fe587ffd171d63df5222974dc2cceef6a8cf5bee63
                                                                                        • Instruction Fuzzy Hash: F3116D7250020DABDF11CF94DE49FEE7BAAEF4A754F044018FA05A6160C372CE65EB60
                                                                                        Function 00683382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,?,00683379,00682FE5), ref: 00683390
                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0068339E
                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006833B7
                                                                                        • SetLastError.KERNEL32(00000000,?,00683379,00682FE5), ref: 00683409
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                        • String ID:
                                                                                        • API String ID: 3852720340-0
                                                                                        • Opcode ID: c131e1c23a366a604625e189c99b6c00e74b8a844811bcfdd8f01a44de1c5e2c
                                                                                        • Instruction ID: 4334ccbe2ff3c6d2a27abfbe8a823fea8b2a159cf2ef7d45d1253f13fd4a5878
                                                                                        • Opcode Fuzzy Hash: c131e1c23a366a604625e189c99b6c00e74b8a844811bcfdd8f01a44de1c5e2c
                                                                                        • Instruction Fuzzy Hash: AD01B533609331BFAB7537786C859AA2A96EB25B75720432DF410853F1EF154D025788
                                                                                        Function 00692D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,?,00695686,006A3CD6,?,00000000,?,00695B6A,?,?,?,?,?,0068E6D1,?,00728A48), ref: 00692D78
                                                                                        • _free.LIBCMT ref: 00692DAB
                                                                                        • _free.LIBCMT ref: 00692DD3
                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0068E6D1,?,00728A48,00000010,00664F4A,?,?,00000000,006A3CD6), ref: 00692DE0
                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0068E6D1,?,00728A48,00000010,00664F4A,?,?,00000000,006A3CD6), ref: 00692DEC
                                                                                        • _abort.LIBCMT ref: 00692DF2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                        • String ID:
                                                                                        • API String ID: 3160817290-0
                                                                                        • Opcode ID: 93c0ffcfff3c1b1afcaf740cd484d85c4fef1ffd710e8bc01592693eee1d4f27
                                                                                        • Instruction ID: 0bf6891f7be22e75d1ad8a19b545897f6424dfeb07df8ea615a22d0b00d5df2e
                                                                                        • Opcode Fuzzy Hash: 93c0ffcfff3c1b1afcaf740cd484d85c4fef1ffd710e8bc01592693eee1d4f27
                                                                                        • Instruction Fuzzy Hash: 17F0283250460277CF626334BC36E6F255FAFC17B0F20401DF824D2ED2EE24880651A4
                                                                                        Function 006F8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00679639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00679693
                                                                                          • Part of subcall function 00679639: SelectObject.GDI32(?,00000000), ref: 006796A2
                                                                                          • Part of subcall function 00679639: BeginPath.GDI32(?), ref: 006796B9
                                                                                          • Part of subcall function 00679639: SelectObject.GDI32(?,00000000), ref: 006796E2
                                                                                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 006F8A4E
                                                                                        • LineTo.GDI32(?,00000003,00000000), ref: 006F8A62
                                                                                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 006F8A70
                                                                                        • LineTo.GDI32(?,00000000,00000003), ref: 006F8A80
                                                                                        • EndPath.GDI32(?), ref: 006F8A90
                                                                                        • StrokePath.GDI32(?), ref: 006F8AA0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                        • String ID:
                                                                                        • API String ID: 43455801-0
                                                                                        • Opcode ID: 63a6ec85ee43f7e4b559baf06059c95193c135811e68a0eff4a8bc44d28974ae
                                                                                        • Instruction ID: 0f770a31647b35152080ad033d291129deb28c377ca77c3b1e36c16a37a5f79a
                                                                                        • Opcode Fuzzy Hash: 63a6ec85ee43f7e4b559baf06059c95193c135811e68a0eff4a8bc44d28974ae
                                                                                        • Instruction Fuzzy Hash: 1B110C7600014DFFEB119F90DC48EAA7F6DEB04364F008052BA1996161C7729D55DB60
                                                                                        Function 006C51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 006C5218
                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 006C5229
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006C5230
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 006C5238
                                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 006C524F
                                                                                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 006C5261
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDevice$Release
                                                                                        • String ID:
                                                                                        • API String ID: 1035833867-0
                                                                                        • Opcode ID: 097f2cda054803bef38ff852ff838eeff8c21462c21dc17e33c917c5b39e3ff0
                                                                                        • Instruction ID: e3a7fba895dffde2b661773598a2305132ae3ef26d84159e2809c9279542067a
                                                                                        • Opcode Fuzzy Hash: 097f2cda054803bef38ff852ff838eeff8c21462c21dc17e33c917c5b39e3ff0
                                                                                        • Instruction Fuzzy Hash: 11018475A04708BBEB109BA59D49F6EBFB9EB44361F044065FA05E7380DA709900CB60
                                                                                        Function 00661BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00661BF4
                                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00661BFC
                                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00661C07
                                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00661C12
                                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00661C1A
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00661C22
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual
                                                                                        • String ID:
                                                                                        • API String ID: 4278518827-0
                                                                                        • Opcode ID: 2ae9f83fbf093dfe0343a59c2dc6071ecc71f44498094d9a131853c7f9876228
                                                                                        • Instruction ID: b4081a0fd309a50a30a59c8250489170e6133683d2d63b5769ac73df6852effe
                                                                                        • Opcode Fuzzy Hash: 2ae9f83fbf093dfe0343a59c2dc6071ecc71f44498094d9a131853c7f9876228
                                                                                        • Instruction Fuzzy Hash: F4016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5
                                                                                        Function 006CEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006CEB30
                                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006CEB46
                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 006CEB55
                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006CEB64
                                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006CEB6E
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006CEB75
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                        • String ID:
                                                                                        • API String ID: 839392675-0
                                                                                        • Opcode ID: 0be96f6d2ee06a8499343b7f1f2adef0f68bbf30f01c21bdef651527a4f2e297
                                                                                        • Instruction ID: aba954e36eedd48f1d7c4986f88b599d71dc8aaed8044b2e3781f38e4f693a24
                                                                                        • Opcode Fuzzy Hash: 0be96f6d2ee06a8499343b7f1f2adef0f68bbf30f01c21bdef651527a4f2e297
                                                                                        • Instruction Fuzzy Hash: 87F03A7224055CBBE7219B629E0EEFF3A7DEFCBB21F001158F601D1191DBA05A01D6B5
                                                                                        Function 006B7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClientRect.USER32(?), ref: 006B7452
                                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 006B7469
                                                                                        • GetWindowDC.USER32(?), ref: 006B7475
                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 006B7484
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 006B7496
                                                                                        • GetSysColor.USER32(00000005), ref: 006B74B0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                        • String ID:
                                                                                        • API String ID: 272304278-0
                                                                                        • Opcode ID: dfbd650b70474ac875dff95ba68d3c1d5c0dfcb2cd359ac192c910794bd4ce43
                                                                                        • Instruction ID: bf665514ceb7f903e973d9230785fb384b9fe3378e07c9741d5c0571f846249a
                                                                                        • Opcode Fuzzy Hash: dfbd650b70474ac875dff95ba68d3c1d5c0dfcb2cd359ac192c910794bd4ce43
                                                                                        • Instruction Fuzzy Hash: 2B018B31404209EFEB105F64DD08BFE7BB6FB04322F605060F915A22A0CB312E51EB10
                                                                                        Function 006C1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 006C187F
                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 006C188B
                                                                                        • CloseHandle.KERNEL32(?), ref: 006C1894
                                                                                        • CloseHandle.KERNEL32(?), ref: 006C189C
                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 006C18A5
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C18AC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                        • String ID:
                                                                                        • API String ID: 146765662-0
                                                                                        • Opcode ID: ac9c4ac9dc297c2134e3036065104849c5b331d4d875043eb898665040b695be
                                                                                        • Instruction ID: 1924fc672279b3fd904e823349576bd15347ec2f26a3c79a4d4b4ac35a341f86
                                                                                        • Opcode Fuzzy Hash: ac9c4ac9dc297c2134e3036065104849c5b331d4d875043eb898665040b695be
                                                                                        • Instruction Fuzzy Hash: 61E0E536004909BBDB01AFA1EE0CD1ABF3AFF4AB32B109220F22581070CB329430EF50
                                                                                        Function 0066BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 0066BEB3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer
                                                                                        • String ID: D%s$D%s$D%s$D%sD%s
                                                                                        • API String ID: 1385522511-2682592477
                                                                                        • Opcode ID: b1589c63d0b4f11b73faafa1d709ddc4eb009620c919eb7b98a187185417a607
                                                                                        • Instruction ID: 7b14ba81f19be18ade62e240816429c707eed32122a08de2dd63deedffe367a3
                                                                                        • Opcode Fuzzy Hash: b1589c63d0b4f11b73faafa1d709ddc4eb009620c919eb7b98a187185417a607
                                                                                        • Instruction Fuzzy Hash: 5F913A75A0021ADFCB18CF59C0906AABBF2FF58314F249169D945EB351E731EE82CB90
                                                                                        Function 006E7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00680242: EnterCriticalSection.KERNEL32(0073070C,00731884,?,?,0067198B,00732518,?,?,?,006612F9,00000000), ref: 0068024D
                                                                                          • Part of subcall function 00680242: LeaveCriticalSection.KERNEL32(0073070C,?,0067198B,00732518,?,?,?,006612F9,00000000), ref: 0068028A
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                          • Part of subcall function 006800A3: __onexit.LIBCMT ref: 006800A9
                                                                                        • __Init_thread_footer.LIBCMT ref: 006E7BFB
                                                                                          • Part of subcall function 006801F8: EnterCriticalSection.KERNEL32(0073070C,?,?,00678747,00732514), ref: 00680202
                                                                                          • Part of subcall function 006801F8: LeaveCriticalSection.KERNEL32(0073070C,?,00678747,00732514), ref: 00680235
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                        • String ID: +Tk$5$G$Variable must be of type 'Object'.
                                                                                        • API String ID: 535116098-3356992489
                                                                                        • Opcode ID: 298d8899a142279ba5f10e607fd67405caca15f9f69e02fd2f9209d8dd6aa98a
                                                                                        • Instruction ID: 0a748457d1797dd4ab97e87b7e5d1a8d34bb54968a4f8d225a84df9d8706fae8
                                                                                        • Opcode Fuzzy Hash: 298d8899a142279ba5f10e607fd67405caca15f9f69e02fd2f9209d8dd6aa98a
                                                                                        • Instruction Fuzzy Hash: 5D919970A05249EFCB14EF96D9919ADB7B7EF48300F20805DF806AB392DB71AE41CB55
                                                                                        Function 006CC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00667620: _wcslen.LIBCMT ref: 00667625
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006CC6EE
                                                                                        • _wcslen.LIBCMT ref: 006CC735
                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006CC79C
                                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006CC7CA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info_wcslen$Default
                                                                                        • String ID: 0
                                                                                        • API String ID: 1227352736-4108050209
                                                                                        • Opcode ID: 6d4e64bdee0affc23c0034402adb90f782d2eac295cb547c2281888ee4f2089a
                                                                                        • Instruction ID: 6f7efd73b1b2b47e93e30a183fcf5f1a74b8e612d58ffbbcae999ab76b916eba
                                                                                        • Opcode Fuzzy Hash: 6d4e64bdee0affc23c0034402adb90f782d2eac295cb547c2281888ee4f2089a
                                                                                        • Instruction Fuzzy Hash: CB51DE716043009BD7509F28C985FBBB7EAEF49320F040A2DF999E32A1DB74D804CB66
                                                                                        Function 006EAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(0000003C), ref: 006EAEA3
                                                                                          • Part of subcall function 00667620: _wcslen.LIBCMT ref: 00667625
                                                                                        • GetProcessId.KERNEL32(00000000), ref: 006EAF38
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 006EAF67
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                        • String ID: <$@
                                                                                        • API String ID: 146682121-1426351568
                                                                                        • Opcode ID: 1d1af8ae1bc4a973fdb3ef2e95e9d6bc652c65f4eb974e0ad99c09feafba10aa
                                                                                        • Instruction ID: 7396a3e04b6252fa054e9d0c5c112e384d0c08c089004013959385862b16db45
                                                                                        • Opcode Fuzzy Hash: 1d1af8ae1bc4a973fdb3ef2e95e9d6bc652c65f4eb974e0ad99c09feafba10aa
                                                                                        • Instruction Fuzzy Hash: BD718770A00659DFCB14DFA5C484A9EBBF2BF08314F04849DE856AB3A2CB70ED45CB95
                                                                                        Function 006C719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006C7206
                                                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006C723C
                                                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006C724D
                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006C72CF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                        • String ID: DllGetClassObject
                                                                                        • API String ID: 753597075-1075368562
                                                                                        • Opcode ID: 6c09e11bf0970c67a22ca1c62958eda5ed23dd17148d078278857a46996b70ae
                                                                                        • Instruction ID: dea6399b02b0358e4d761201d5ce7335b1014b6b547a3f5be8d7545ae05d816d
                                                                                        • Opcode Fuzzy Hash: 6c09e11bf0970c67a22ca1c62958eda5ed23dd17148d078278857a46996b70ae
                                                                                        • Instruction Fuzzy Hash: 3C413BB1A04204AFDB15CF54C884FAA7BAAEF54310F2480ADFD059F20AD7B5DA45CFA0
                                                                                        Function 006F2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006F2F8D
                                                                                        • LoadLibraryW.KERNEL32(?), ref: 006F2F94
                                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006F2FA9
                                                                                        • DestroyWindow.USER32(?), ref: 006F2FB1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                        • String ID: SysAnimate32
                                                                                        • API String ID: 3529120543-1011021900
                                                                                        • Opcode ID: 2ac664f9f686add7b494eb861eec2264e4732f25d39a26d6f20c488a9250ebe9
                                                                                        • Instruction ID: 2f55b940da8b1f85bc2caed171f18faf900ff09ce7f084daa4d3df1bda7cb9a2
                                                                                        • Opcode Fuzzy Hash: 2ac664f9f686add7b494eb861eec2264e4732f25d39a26d6f20c488a9250ebe9
                                                                                        • Instruction Fuzzy Hash: 8121CD7126520EABEB104FA4DCA0EFB37BEEB59774F104628FA50D22A0D771DC519B60
                                                                                        Function 00684D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00684D1E,006928E9,?,00684CBE,006928E9,007288B8,0000000C,00684E15,006928E9,00000002), ref: 00684D8D
                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00684DA0
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00684D1E,006928E9,?,00684CBE,006928E9,007288B8,0000000C,00684E15,006928E9,00000002,00000000), ref: 00684DC3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                        • API String ID: 4061214504-1276376045
                                                                                        • Opcode ID: 324e2e65954f1a3f5a78a9d493368e8a75b1f74e59f6dcf8cb7f2a11d4b7b647
                                                                                        • Instruction ID: 1d564d7b26385aad9a32a5cbc888d162cb9b6e39391962c48a991b924ba6169b
                                                                                        • Opcode Fuzzy Hash: 324e2e65954f1a3f5a78a9d493368e8a75b1f74e59f6dcf8cb7f2a11d4b7b647
                                                                                        • Instruction Fuzzy Hash: 15F03C35A40209ABDB11AB90DD49BEDBBB6EF44761F0002A8A805A26A0DF745954CB95
                                                                                        Function 00664E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00664EDD,?,00731418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00664E9C
                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00664EAE
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00664EDD,?,00731418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00664EC0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                        • API String ID: 145871493-3689287502
                                                                                        • Opcode ID: 278fadac5212917d026bf08a2f858230d586c0113f5027cb3c72194fc10239de
                                                                                        • Instruction ID: 3d1228a2f31e8a266ade925a07d2a3111fba3e589e1aa8e9f144cf0e38a31331
                                                                                        • Opcode Fuzzy Hash: 278fadac5212917d026bf08a2f858230d586c0113f5027cb3c72194fc10239de
                                                                                        • Instruction Fuzzy Hash: CCE08C36A026265BD3225B25AD18ABB6A6AAF81B72B051115FD04E2204DF64CD1580A0
                                                                                        Function 00664E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,006A3CDE,?,00731418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00664E62
                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00664E74
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,006A3CDE,?,00731418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00664E87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                        • API String ID: 145871493-1355242751
                                                                                        • Opcode ID: 04fbc64e68c4d9d0ddcf6fcf1dcbf50a8032260eae97a07be306860a93cee637
                                                                                        • Instruction ID: 07c9fb94ec6c9e344cd9a01c61f14e885749936ec19de283444e81c002aa3695
                                                                                        • Opcode Fuzzy Hash: 04fbc64e68c4d9d0ddcf6fcf1dcbf50a8032260eae97a07be306860a93cee637
                                                                                        • Instruction Fuzzy Hash: BAD05B395026367BD7325B257D1CDEF6A1BAF85F713050515F905E2214CF65CE11C5D0
                                                                                        Function 006D2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006D2C05
                                                                                        • DeleteFileW.KERNEL32(?), ref: 006D2C87
                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006D2C9D
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006D2CAE
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006D2CC0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Delete$Copy
                                                                                        • String ID:
                                                                                        • API String ID: 3226157194-0
                                                                                        • Opcode ID: 1af6194d95cc089a9431af6c63106195c275ea21406c476e653df7eb5a4e9b42
                                                                                        • Instruction ID: 240065f31bfe0405e86e09ab40b1510d8d6ee496796b1002fab84659aa1927f0
                                                                                        • Opcode Fuzzy Hash: 1af6194d95cc089a9431af6c63106195c275ea21406c476e653df7eb5a4e9b42
                                                                                        • Instruction Fuzzy Hash: B7B16F71D00119ABDF61EBA4CC95EDEB77EEF58310F1040AAF609E7241EA319E448F65
                                                                                        Function 006EA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 006EA427
                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006EA435
                                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 006EA468
                                                                                        • CloseHandle.KERNEL32(?), ref: 006EA63D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                        • String ID:
                                                                                        • API String ID: 3488606520-0
                                                                                        • Opcode ID: ec7134cfd8f61d7d3d79d032c25f848d82e9c2165bcec793c1250e3e0b745abd
                                                                                        • Instruction ID: 914747168f03359bd3773e8e17f345f8746cc5ec3da40b1b10daab6e73b7beb0
                                                                                        • Opcode Fuzzy Hash: ec7134cfd8f61d7d3d79d032c25f848d82e9c2165bcec793c1250e3e0b745abd
                                                                                        • Instruction Fuzzy Hash: 07A1AD716043009FE720DF25C886B2AB7E6AF84714F14885DF59ADB392DBB0EC41CB96
                                                                                        Function 0069BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00703700), ref: 0069BB91
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0073121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0069BC09
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00731270,000000FF,?,0000003F,00000000,?), ref: 0069BC36
                                                                                        • _free.LIBCMT ref: 0069BB7F
                                                                                          • Part of subcall function 006929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000), ref: 006929DE
                                                                                          • Part of subcall function 006929C8: GetLastError.KERNEL32(00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000,00000000), ref: 006929F0
                                                                                        • _free.LIBCMT ref: 0069BD4B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                        • String ID:
                                                                                        • API String ID: 1286116820-0
                                                                                        • Opcode ID: c2c3b82414e8c565f0bc3213bd259a2f1ada1932fd1da12d16ecb3ed62f6612a
                                                                                        • Instruction ID: 371d9630707ab4073b180ade2d0959fa41a08873fd3990ad25abde34719e33d7
                                                                                        • Opcode Fuzzy Hash: c2c3b82414e8c565f0bc3213bd259a2f1ada1932fd1da12d16ecb3ed62f6612a
                                                                                        • Instruction Fuzzy Hash: 7851E671900209EFDF10EF65AE819BEB7BEFF40320B50526EE454D7691EB709E418B98
                                                                                        Function 006CE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006CCF22,?), ref: 006CDDFD
                                                                                          • Part of subcall function 006CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006CCF22,?), ref: 006CDE16
                                                                                          • Part of subcall function 006CE199: GetFileAttributesW.KERNEL32(?,006CCF95), ref: 006CE19A
                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 006CE473
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 006CE4AC
                                                                                        • _wcslen.LIBCMT ref: 006CE5EB
                                                                                        • _wcslen.LIBCMT ref: 006CE603
                                                                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 006CE650
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 3183298772-0
                                                                                        • Opcode ID: fa444f4dd43943cd9487a06a8e357608abecb4b6395d0a47b7f763781684e974
                                                                                        • Instruction ID: 4d1dce47f1663729e1046bad336b3e4a21ad43ba69120b0d6189cf373a9828fe
                                                                                        • Opcode Fuzzy Hash: fa444f4dd43943cd9487a06a8e357608abecb4b6395d0a47b7f763781684e974
                                                                                        • Instruction Fuzzy Hash: A95184B24087455BC764EB90C881EEF73EEEF85340F00491EF589D3191EF75A688876A
                                                                                        Function 006EB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                          • Part of subcall function 006EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006EB6AE,?,?), ref: 006EC9B5
                                                                                          • Part of subcall function 006EC998: _wcslen.LIBCMT ref: 006EC9F1
                                                                                          • Part of subcall function 006EC998: _wcslen.LIBCMT ref: 006ECA68
                                                                                          • Part of subcall function 006EC998: _wcslen.LIBCMT ref: 006ECA9E
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006EBAA5
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006EBB00
                                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006EBB63
                                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 006EBBA6
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 006EBBB3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                        • String ID:
                                                                                        • API String ID: 826366716-0
                                                                                        • Opcode ID: d8837035a91c84019b230156a5732474aed44636e214acbb9ef9a4a55c35b8b8
                                                                                        • Instruction ID: 78d3ba18282b0f8c28a61d342013cc7712fb66cca05abb905ca9bb5f15ef05f3
                                                                                        • Opcode Fuzzy Hash: d8837035a91c84019b230156a5732474aed44636e214acbb9ef9a4a55c35b8b8
                                                                                        • Instruction Fuzzy Hash: A8615C31209341AFD714DF15C490E6ABBE6FF84318F14996CF4998B2A2DB31ED46CB92
                                                                                        Function 006C8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 006C8BCD
                                                                                        • VariantClear.OLEAUT32 ref: 006C8C3E
                                                                                        • VariantClear.OLEAUT32 ref: 006C8C9D
                                                                                        • VariantClear.OLEAUT32(?), ref: 006C8D10
                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006C8D3B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$Clear$ChangeInitType
                                                                                        • String ID:
                                                                                        • API String ID: 4136290138-0
                                                                                        • Opcode ID: 204c01c20dd70fc70b42b417a29f764856348895617c8b2deb4cc5221693d444
                                                                                        • Instruction ID: 649ca378d83770b29b46a015e31ffeebcfd8022a2b2206ab865511c2ba5c6585
                                                                                        • Opcode Fuzzy Hash: 204c01c20dd70fc70b42b417a29f764856348895617c8b2deb4cc5221693d444
                                                                                        • Instruction Fuzzy Hash: 995159B5A00619EFCB14CF68D894EAAB7F9FF89310B158559E906DB350E730E911CB90
                                                                                        Function 006D8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006D8BAE
                                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 006D8BDA
                                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006D8C32
                                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006D8C57
                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006D8C5F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfile$SectionWrite$String
                                                                                        • String ID:
                                                                                        • API String ID: 2832842796-0
                                                                                        • Opcode ID: 9fc72f938cc94d36349c991d03a4e8258e3bba7ea508e2bde6853380258b3ed0
                                                                                        • Instruction ID: 049a260cc9e8f8c252731f5fb8631f3b13fb3decd6277b785c4549895b07c50b
                                                                                        • Opcode Fuzzy Hash: 9fc72f938cc94d36349c991d03a4e8258e3bba7ea508e2bde6853380258b3ed0
                                                                                        • Instruction Fuzzy Hash: 5B515D35A00214DFCB04DF64C885EA9BBF6FF48314F088499E84AAB362DB31ED51CB94
                                                                                        Function 006E8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 006E8F40
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 006E8FD0
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 006E8FEC
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 006E9032
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 006E9052
                                                                                          • Part of subcall function 0067F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,006D1043,?,75C0E610), ref: 0067F6E6
                                                                                          • Part of subcall function 0067F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,006BFA64,00000000,00000000,?,?,006D1043,?,75C0E610,?,006BFA64), ref: 0067F70D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                        • String ID:
                                                                                        • API String ID: 666041331-0
                                                                                        • Opcode ID: e73be0bae4976623d468cbf4663b52ddab94435cc9c482cd2a0a1d0faf2606cd
                                                                                        • Instruction ID: 0ff216f613f76f7516f0088beaf058dbdb8f639d8657069ad5c8bdb75f74f852
                                                                                        • Opcode Fuzzy Hash: e73be0bae4976623d468cbf4663b52ddab94435cc9c482cd2a0a1d0faf2606cd
                                                                                        • Instruction Fuzzy Hash: 81514A35601245DFCB15DF59C4948EDBBF2FF49324B0480A9E80AAB362DB31ED86CB90
                                                                                        Function 006F6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 006F6C33
                                                                                        • SetWindowLongW.USER32(?,000000EC,?), ref: 006F6C4A
                                                                                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 006F6C73
                                                                                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,006DAB79,00000000,00000000), ref: 006F6C98
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 006F6CC7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$MessageSendShow
                                                                                        • String ID:
                                                                                        • API String ID: 3688381893-0
                                                                                        • Opcode ID: 58130b69b01e3b8b7efc0dd43ae0ab014ea970e9338d83f189411c4cb5483dad
                                                                                        • Instruction ID: 41b78ba32bc21977e83811c248bbd02bb68a5df55fe28aedc9b3319ed85f779f
                                                                                        • Opcode Fuzzy Hash: 58130b69b01e3b8b7efc0dd43ae0ab014ea970e9338d83f189411c4cb5483dad
                                                                                        • Instruction Fuzzy Hash: FD41AD35A0410CAFDB24CF68CD59FF97BA6EB09360F150268FA99E73A1C371AD51CA40
                                                                                        Function 00692051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free
                                                                                        • String ID:
                                                                                        • API String ID: 269201875-0
                                                                                        • Opcode ID: 07e7d12103b52150bd147d27670d75bcdf16cadbaa0333b9020381b32d6196ec
                                                                                        • Instruction ID: df8156e0e2517f735accb9d25d6afd47c84696bd32a64d5907dd180a285d9963
                                                                                        • Opcode Fuzzy Hash: 07e7d12103b52150bd147d27670d75bcdf16cadbaa0333b9020381b32d6196ec
                                                                                        • Instruction Fuzzy Hash: 6741E432A00201AFCF20DF78C890A9DB7AAEF88314F158568E615EB751D631AD01CB80
                                                                                        Function 0067912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCursorPos.USER32(?), ref: 00679141
                                                                                        • ScreenToClient.USER32(00000000,?), ref: 0067915E
                                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00679183
                                                                                        • GetAsyncKeyState.USER32(00000002), ref: 0067919D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                                        • String ID:
                                                                                        • API String ID: 4210589936-0
                                                                                        • Opcode ID: 965fefad7b3019e41d71cf8ff78aaeed950a9d3d7a6599808b586beab6be0af1
                                                                                        • Instruction ID: 6f7d84c0806528fa62aa0a3014b4aeb892b2a3bc1c10bf4a985b56c0745c28d5
                                                                                        • Opcode Fuzzy Hash: 965fefad7b3019e41d71cf8ff78aaeed950a9d3d7a6599808b586beab6be0af1
                                                                                        • Instruction Fuzzy Hash: A441607190850BBBDF159F68C844BFEB7B6FB45324F248219E429A7290C73459A4CF61
                                                                                        Function 006D3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetInputState.USER32 ref: 006D38CB
                                                                                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 006D3922
                                                                                        • TranslateMessage.USER32(?), ref: 006D394B
                                                                                        • DispatchMessageW.USER32(?), ref: 006D3955
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006D3966
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                        • String ID:
                                                                                        • API String ID: 2256411358-0
                                                                                        • Opcode ID: a19603784f1fd3cfc0c48f86eff6f0550126ef4422f8cd522c5e0da5883267ac
                                                                                        • Instruction ID: 779df7ea51b098f2f5b29f6e407140daafc215f9d5930b621b907fd655bce826
                                                                                        • Opcode Fuzzy Hash: a19603784f1fd3cfc0c48f86eff6f0550126ef4422f8cd522c5e0da5883267ac
                                                                                        • Instruction Fuzzy Hash: AA31F770D043559EFB35CB349858BF637AAAB05311F44446FE462CA3A0F3F8A685DB16
                                                                                        Function 006DCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,006DC21E,00000000), ref: 006DCF38
                                                                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 006DCF6F
                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,?,006DC21E,00000000), ref: 006DCFB4
                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,006DC21E,00000000), ref: 006DCFC8
                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,006DC21E,00000000), ref: 006DCFF2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                        • String ID:
                                                                                        • API String ID: 3191363074-0
                                                                                        • Opcode ID: 4127ecbb4a7009546b17bddb8098547cc34036dc2274abf629f625f4fb5f9dae
                                                                                        • Instruction ID: 82e559052b3e1bf0970d3fd8c4a237ac172b923c6f64a23172fb5f9921ebeaab
                                                                                        • Opcode Fuzzy Hash: 4127ecbb4a7009546b17bddb8098547cc34036dc2274abf629f625f4fb5f9dae
                                                                                        • Instruction Fuzzy Hash: DD312D7190460AAFDB20DFA5C9849EABBFBEF54361B10842EF516D2351DB30AE41DB60
                                                                                        Function 006C1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(?,?), ref: 006C1915
                                                                                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 006C19C1
                                                                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 006C19C9
                                                                                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 006C19DA
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 006C19E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostSleep$RectWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3382505437-0
                                                                                        • Opcode ID: ffeed3d7dfc8c67c04ff326ac3a556b7ac471a7e8c6e131f75f92a7b21efcfbe
                                                                                        • Instruction ID: d934124aa58bc90410f56458db7dcd4e5e8bcb26dfb990855b67831e6319283b
                                                                                        • Opcode Fuzzy Hash: ffeed3d7dfc8c67c04ff326ac3a556b7ac471a7e8c6e131f75f92a7b21efcfbe
                                                                                        • Instruction Fuzzy Hash: 9931AF71900219EFCB10CFA8C999BEE7BB6EB46325F104229F921AB2D1C7709954DB90
                                                                                        Function 006F5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 006F5745
                                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 006F579D
                                                                                        • _wcslen.LIBCMT ref: 006F57AF
                                                                                        • _wcslen.LIBCMT ref: 006F57BA
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 006F5816
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 763830540-0
                                                                                        • Opcode ID: dd75cbdf0e089295833bf0d936a0c3c2dca3cefbba22a3983f227f6e70c9d486
                                                                                        • Instruction ID: 160cfccf8fda4f3b0919944a2ed0bd60fe99b47025bc800bed40466b64cda137
                                                                                        • Opcode Fuzzy Hash: dd75cbdf0e089295833bf0d936a0c3c2dca3cefbba22a3983f227f6e70c9d486
                                                                                        • Instruction Fuzzy Hash: 9A21857190461C9ADB209F64CC85AFD77BAFF04724F108216EB2AEA284D7708D85CF50
                                                                                        Function 006E0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindow.USER32(00000000), ref: 006E0951
                                                                                        • GetForegroundWindow.USER32 ref: 006E0968
                                                                                        • GetDC.USER32(00000000), ref: 006E09A4
                                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 006E09B0
                                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 006E09E8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ForegroundPixelRelease
                                                                                        • String ID:
                                                                                        • API String ID: 4156661090-0
                                                                                        • Opcode ID: 0c6db85401c43133bbd718ef088223a6725b215ca813b5d1f00c46da48f3788b
                                                                                        • Instruction ID: 9026121fdf3166060dcac80c0cc03dae1a24b1a9fa5325f24e9400f9f4b95fbc
                                                                                        • Opcode Fuzzy Hash: 0c6db85401c43133bbd718ef088223a6725b215ca813b5d1f00c46da48f3788b
                                                                                        • Instruction Fuzzy Hash: 95218135A00204AFD744EF65D985AAEBBE6EF45710F04846DE84AD7362DB70AC44CB90
                                                                                        Function 0069CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0069CDC6
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0069CDE9
                                                                                          • Part of subcall function 00693820: RtlAllocateHeap.NTDLL(00000000,?,00731444,?,0067FDF5,?,?,0066A976,00000010,00731440,006613FC,?,006613C6,?,00661129), ref: 00693852
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0069CE0F
                                                                                        • _free.LIBCMT ref: 0069CE22
                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0069CE31
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                        • String ID:
                                                                                        • API String ID: 336800556-0
                                                                                        • Opcode ID: 7d123d0cac0a7e57d630255d88c0e2299564c0d2b1d24c9b79eb3b3590fb0305
                                                                                        • Instruction ID: 42a9d488196ee41372bad966690834b143643a4d3e4493085f5fc269344b1a09
                                                                                        • Opcode Fuzzy Hash: 7d123d0cac0a7e57d630255d88c0e2299564c0d2b1d24c9b79eb3b3590fb0305
                                                                                        • Instruction Fuzzy Hash: 8F01F7726012167FAB2156BA6C9CCBB796FDEC6BB1315012DFD06C7700EA608D02C2F4
                                                                                        Function 00679639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00679693
                                                                                        • SelectObject.GDI32(?,00000000), ref: 006796A2
                                                                                        • BeginPath.GDI32(?), ref: 006796B9
                                                                                        • SelectObject.GDI32(?,00000000), ref: 006796E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                                        • String ID:
                                                                                        • API String ID: 3225163088-0
                                                                                        • Opcode ID: 899a57c70647b84d7b5aa8f57d3189de19d92d7057c9775fedfff993e8c785b5
                                                                                        • Instruction ID: 1ef51786fc22fb8fe614ff1f05fc46b24ae56b762fe8ef217d4e2e4474f54615
                                                                                        • Opcode Fuzzy Hash: 899a57c70647b84d7b5aa8f57d3189de19d92d7057c9775fedfff993e8c785b5
                                                                                        • Instruction Fuzzy Hash: 03218070802345EBFB11DF24DD14BE93BEABB41726F508316F414A62B0D375A891CBA8
                                                                                        Function 006C5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 2931989736-0
                                                                                        • Opcode ID: ddd3365850281f45bd105d3c5fa793debb22c01ba35e9c518d4789d66fe1bf6f
                                                                                        • Instruction ID: cc8212905e050f950586bcb47511610463babc44f0c3ca7bf18538d03394d2c8
                                                                                        • Opcode Fuzzy Hash: ddd3365850281f45bd105d3c5fa793debb22c01ba35e9c518d4789d66fe1bf6f
                                                                                        • Instruction Fuzzy Hash: E2019262641619BB921866109E92FFB735FDF22394B004029FE069F241FA60FD9282B9
                                                                                        Function 00692DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,?,?,0068F2DE,00693863,00731444,?,0067FDF5,?,?,0066A976,00000010,00731440,006613FC,?,006613C6), ref: 00692DFD
                                                                                        • _free.LIBCMT ref: 00692E32
                                                                                        • _free.LIBCMT ref: 00692E59
                                                                                        • SetLastError.KERNEL32(00000000,00661129), ref: 00692E66
                                                                                        • SetLastError.KERNEL32(00000000,00661129), ref: 00692E6F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_free
                                                                                        • String ID:
                                                                                        • API String ID: 3170660625-0
                                                                                        • Opcode ID: 808f7f7e15c8077c9051daf7c4fff1eca1cbbfe06b702395c411354bea80f6e9
                                                                                        • Instruction ID: 071b0a3e038c5bb2123650db2bf0184cadaa8389048b89b854bc4786f6482466
                                                                                        • Opcode Fuzzy Hash: 808f7f7e15c8077c9051daf7c4fff1eca1cbbfe06b702395c411354bea80f6e9
                                                                                        • Instruction Fuzzy Hash: B701F4726056067BCF1267356CE6D7B269FAFD17B5B21402CF425A2B93EE648C0241A4
                                                                                        Function 006C000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006BFF41,80070057,?,?,?,006C035E), ref: 006C002B
                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006BFF41,80070057,?,?), ref: 006C0046
                                                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006BFF41,80070057,?,?), ref: 006C0054
                                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006BFF41,80070057,?), ref: 006C0064
                                                                                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006BFF41,80070057,?,?), ref: 006C0070
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 3897988419-0
                                                                                        • Opcode ID: 2d936c48c3b34c07cff6db782bcfe9003c910a4134b382d8055a4f01010775d6
                                                                                        • Instruction ID: 65bab9a643740dd7400aeb06135ecee52c97afaf3b746ab208844efe856f61ec
                                                                                        • Opcode Fuzzy Hash: 2d936c48c3b34c07cff6db782bcfe9003c910a4134b382d8055a4f01010775d6
                                                                                        • Instruction Fuzzy Hash: 53017472600208EBEB104F68DD08FBA7AAEEB487A2F155128F905D2210EB71DD408BA0
                                                                                        Function 006CE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 006CE997
                                                                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 006CE9A5
                                                                                        • Sleep.KERNEL32(00000000), ref: 006CE9AD
                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 006CE9B7
                                                                                        • Sleep.KERNEL32 ref: 006CE9F3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                        • String ID:
                                                                                        • API String ID: 2833360925-0
                                                                                        • Opcode ID: 77fe3334644f95f814bb3f16e7c9617fbda25bf550d64aa47369ff7a5cc82e56
                                                                                        • Instruction ID: bff0d4909efceb1836a3de3ac0d333f4bce3b690b722d10714f4c3b3324f44cf
                                                                                        • Opcode Fuzzy Hash: 77fe3334644f95f814bb3f16e7c9617fbda25bf550d64aa47369ff7a5cc82e56
                                                                                        • Instruction Fuzzy Hash: FB015331C0162DDBCF00EBE4D959AFDBB7AFF09310F00454AE902B2241CB399661CBA2
                                                                                        Function 006C10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006C1114
                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,006C0B9B,?,?,?), ref: 006C1120
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006C0B9B,?,?,?), ref: 006C112F
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006C0B9B,?,?,?), ref: 006C1136
                                                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006C114D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 842720411-0
                                                                                        • Opcode ID: fb65eb4f81e650295e1780febb60d6ac98f3e507a84da7b90447fb40f61f96a3
                                                                                        • Instruction ID: 99c167187e998b84770145d537aea750014b829a24f9dd46c9a5f8530795f7df
                                                                                        • Opcode Fuzzy Hash: fb65eb4f81e650295e1780febb60d6ac98f3e507a84da7b90447fb40f61f96a3
                                                                                        • Instruction Fuzzy Hash: 8B011975200209BFDB115FA5DD49EBA3B6FEF8A3A0B254419FA45D7360DB31DC10DA60
                                                                                        Function 006C0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006C0FCA
                                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006C0FD6
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006C0FE5
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006C0FEC
                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006C1002
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 44706859-0
                                                                                        • Opcode ID: a54a6e1a58f5ca45cfae7a214bddf3ec5a964b89e568444bf58cbdc13200ecce
                                                                                        • Instruction ID: 9aedf4a9c038fe8d8d325f5e46432dd4c83256e8fb647d212a7a4b0fdc5c9110
                                                                                        • Opcode Fuzzy Hash: a54a6e1a58f5ca45cfae7a214bddf3ec5a964b89e568444bf58cbdc13200ecce
                                                                                        • Instruction Fuzzy Hash: 7CF04F35200345ABD7214FA4DD4AFA63B6EEF8A761F114415F945CA351CE71DC50DA60
                                                                                        Function 006C1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006C102A
                                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006C1036
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006C1045
                                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006C104C
                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006C1062
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 44706859-0
                                                                                        • Opcode ID: 44db2a39ac255928e19e2293cf41029159bbd877034502f2b271d3daf44ed3a6
                                                                                        • Instruction ID: aa418d2534976c346be700dcd7f97353488fe9a896bfa7f24ecf7592cbbf0520
                                                                                        • Opcode Fuzzy Hash: 44db2a39ac255928e19e2293cf41029159bbd877034502f2b271d3daf44ed3a6
                                                                                        • Instruction Fuzzy Hash: 40F04936240309ABDB215FA4ED49FA63BAEEF8A761F110418FA45CA351CE71D890DA60
                                                                                        Function 006D030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,006D017D,?,006D32FC,?,00000001,006A2592,?), ref: 006D0324
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,006D017D,?,006D32FC,?,00000001,006A2592,?), ref: 006D0331
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,006D017D,?,006D32FC,?,00000001,006A2592,?), ref: 006D033E
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,006D017D,?,006D32FC,?,00000001,006A2592,?), ref: 006D034B
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,006D017D,?,006D32FC,?,00000001,006A2592,?), ref: 006D0358
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,006D017D,?,006D32FC,?,00000001,006A2592,?), ref: 006D0365
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandle
                                                                                        • String ID:
                                                                                        • API String ID: 2962429428-0
                                                                                        • Opcode ID: ccf95eeb54e4de9d6475f0d75e6b91158514461c6dfaa2c38860d12d1e5d11bf
                                                                                        • Instruction ID: 5e2bd53acbf8ad7968277827374c6668929a63b5941d5f6fe8e964624a5bf83f
                                                                                        • Opcode Fuzzy Hash: ccf95eeb54e4de9d6475f0d75e6b91158514461c6dfaa2c38860d12d1e5d11bf
                                                                                        • Instruction Fuzzy Hash: 7F01E272800B069FD7309F66D880852F7F6BF503153068A3FD19252A30C3B1A954CF80
                                                                                        Function 0069D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 0069D752
                                                                                          • Part of subcall function 006929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000), ref: 006929DE
                                                                                          • Part of subcall function 006929C8: GetLastError.KERNEL32(00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000,00000000), ref: 006929F0
                                                                                        • _free.LIBCMT ref: 0069D764
                                                                                        • _free.LIBCMT ref: 0069D776
                                                                                        • _free.LIBCMT ref: 0069D788
                                                                                        • _free.LIBCMT ref: 0069D79A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: 1e2398ae884b4f660116e3c80460a85d72229697a9654692634b7e4ebff057ef
                                                                                        • Instruction ID: 930ff677e084c7e2f5bfcaa3446ad0a5fbe1f1d6d57bc3d372908a0c4aa18432
                                                                                        • Opcode Fuzzy Hash: 1e2398ae884b4f660116e3c80460a85d72229697a9654692634b7e4ebff057ef
                                                                                        • Instruction Fuzzy Hash: 23F01232544205BB8E62EBA5F9C5C5A77DFBB547107E54819F04CEBE01C734FC8086A8
                                                                                        Function 006C5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 006C5C58
                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 006C5C6F
                                                                                        • MessageBeep.USER32(00000000), ref: 006C5C87
                                                                                        • KillTimer.USER32(?,0000040A), ref: 006C5CA3
                                                                                        • EndDialog.USER32(?,00000001), ref: 006C5CBD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3741023627-0
                                                                                        • Opcode ID: 3ff33b270523690b8e11e2fdbb19e4e96c53058e6243f6f86c2b332d89134c68
                                                                                        • Instruction ID: afb5fc02a9c392d3e820e4950627490150108833b496cbb6016bbd3cbe418cd6
                                                                                        • Opcode Fuzzy Hash: 3ff33b270523690b8e11e2fdbb19e4e96c53058e6243f6f86c2b332d89134c68
                                                                                        • Instruction Fuzzy Hash: 50016230500B08ABEB206B14DE4EFF677BAFB00B05F00155DA593A10E1DBF0B988CA91
                                                                                        Function 006922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 006922BE
                                                                                          • Part of subcall function 006929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000), ref: 006929DE
                                                                                          • Part of subcall function 006929C8: GetLastError.KERNEL32(00000000,?,0069D7D1,00000000,00000000,00000000,00000000,?,0069D7F8,00000000,00000007,00000000,?,0069DBF5,00000000,00000000), ref: 006929F0
                                                                                        • _free.LIBCMT ref: 006922D0
                                                                                        • _free.LIBCMT ref: 006922E3
                                                                                        • _free.LIBCMT ref: 006922F4
                                                                                        • _free.LIBCMT ref: 00692305
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: e3e72a97030c59c265f2a4ca182b0f715ff018bae66bb142a446f06ba85f0fb2
                                                                                        • Instruction ID: a3e1e8d8ddc4ff947fc5cf9c8c1c7ea606e7e21888ee281439d40e996ab1ec0a
                                                                                        • Opcode Fuzzy Hash: e3e72a97030c59c265f2a4ca182b0f715ff018bae66bb142a446f06ba85f0fb2
                                                                                        • Instruction Fuzzy Hash: 2AF05E70901522AB9E63EF55BC2184D3B6AF728B62740C50AF414D27B1C73C0912EFEC
                                                                                        Function 006795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EndPath.GDI32(?), ref: 006795D4
                                                                                        • StrokeAndFillPath.GDI32(?,?,006B71F7,00000000,?,?,?), ref: 006795F0
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00679603
                                                                                        • DeleteObject.GDI32 ref: 00679616
                                                                                        • StrokePath.GDI32(?), ref: 00679631
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                        • String ID:
                                                                                        • API String ID: 2625713937-0
                                                                                        • Opcode ID: a2b9bbddc4c88099166116796ae448718c0d2b9548d09336391fdb990efc325f
                                                                                        • Instruction ID: 713b637bb74da11791a5011afacc6d0b4b06c83b968b5060882e6d097d11b1ff
                                                                                        • Opcode Fuzzy Hash: a2b9bbddc4c88099166116796ae448718c0d2b9548d09336391fdb990efc325f
                                                                                        • Instruction Fuzzy Hash: FEF01934005648EBEB129F65EE18BA43BA2AB01336F44C314F469551F0CB3999A6DF28
                                                                                        Function 00690F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: __freea$_free
                                                                                        • String ID: a/p$am/pm
                                                                                        • API String ID: 3432400110-3206640213
                                                                                        • Opcode ID: a61f926321509a90c2c2ca06833e4c0e935b277f428011c6bde4e6da061490d3
                                                                                        • Instruction ID: dc41e8b0b57bbcef6f3954ce52e87df1016920839cc11a71f3fb4c9c148dff03
                                                                                        • Opcode Fuzzy Hash: a61f926321509a90c2c2ca06833e4c0e935b277f428011c6bde4e6da061490d3
                                                                                        • Instruction Fuzzy Hash: 01D1CD31A00207DADF299F68C855AFAB7BAEB07300F38415AE9159FF50D7359E81CB91
                                                                                        Function 006E61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00680242: EnterCriticalSection.KERNEL32(0073070C,00731884,?,?,0067198B,00732518,?,?,?,006612F9,00000000), ref: 0068024D
                                                                                          • Part of subcall function 00680242: LeaveCriticalSection.KERNEL32(0073070C,?,0067198B,00732518,?,?,?,006612F9,00000000), ref: 0068028A
                                                                                          • Part of subcall function 006800A3: __onexit.LIBCMT ref: 006800A9
                                                                                        • __Init_thread_footer.LIBCMT ref: 006E6238
                                                                                          • Part of subcall function 006801F8: EnterCriticalSection.KERNEL32(0073070C,?,?,00678747,00732514), ref: 00680202
                                                                                          • Part of subcall function 006801F8: LeaveCriticalSection.KERNEL32(0073070C,?,00678747,00732514), ref: 00680235
                                                                                          • Part of subcall function 006D359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006D35E4
                                                                                          • Part of subcall function 006D359C: LoadStringW.USER32(00732390,?,00000FFF,?), ref: 006D360A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                        • String ID: x#s$x#s$x#s
                                                                                        • API String ID: 1072379062-3720613016
                                                                                        • Opcode ID: 71987e3eece0bd82ac585d0de33082d55bc8b3093b2e0f27a24409ea86871b35
                                                                                        • Instruction ID: f314076641f80c1583835688701db0a0a8587111d223df268a0761325b1cab65
                                                                                        • Opcode Fuzzy Hash: 71987e3eece0bd82ac585d0de33082d55bc8b3093b2e0f27a24409ea86871b35
                                                                                        • Instruction Fuzzy Hash: 98C18D71A00245AFDB14DF99C890EBEB7BAEF58340F10806DF9159B291DB70ED45CB90
                                                                                        Function 00695AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: JOf
                                                                                        • API String ID: 0-1367099043
                                                                                        • Opcode ID: 871bd689812a4d876db279b95722256c3c27fa96759c7873490638d622ec6d7b
                                                                                        • Instruction ID: 01f32bb7e4de9f50f7f1a2c0544931cfd8c8cfcbe090102ffe17e7ae3aceb8d6
                                                                                        • Opcode Fuzzy Hash: 871bd689812a4d876db279b95722256c3c27fa96759c7873490638d622ec6d7b
                                                                                        • Instruction Fuzzy Hash: C551B071D0060AEFDF22AFA4C855EEE7BBEAF05320F14015DF406A7691D7319A02CB65
                                                                                        Function 00698A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00698B6E
                                                                                        • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00698B7A
                                                                                        • __dosmaperr.LIBCMT ref: 00698B81
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                                                        • String ID: .h
                                                                                        • API String ID: 2434981716-3939481508
                                                                                        • Opcode ID: f0c7af670a3f4d51262ef94409550a7549bf50277e2a790bae5fd4383464cbd5
                                                                                        • Instruction ID: 1395fb6b6828f6ff9f6fb50f34727895d42e3134e13b6ca34c44c383143e6e75
                                                                                        • Opcode Fuzzy Hash: f0c7af670a3f4d51262ef94409550a7549bf50277e2a790bae5fd4383464cbd5
                                                                                        • Instruction Fuzzy Hash: FB416970604145AFDF249F64C890ABD7BEBEB87310F2C81A9E88587A46DE318C028794
                                                                                        Function 006C2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006C21D0,?,?,00000034,00000800,?,00000034), ref: 006CB42D
                                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006C2760
                                                                                          • Part of subcall function 006CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 006CB3F8
                                                                                          • Part of subcall function 006CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 006CB355
                                                                                          • Part of subcall function 006CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006C2194,00000034,?,?,00001004,00000000,00000000), ref: 006CB365
                                                                                          • Part of subcall function 006CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006C2194,00000034,?,?,00001004,00000000,00000000), ref: 006CB37B
                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006C27CD
                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006C281A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                        • String ID: @
                                                                                        • API String ID: 4150878124-2766056989
                                                                                        • Opcode ID: 8e9484d15c2f934bed8dcb9c9ed18727f40d96ccb74a1cc5d5dcc6f258a54efe
                                                                                        • Instruction ID: d7dbc9146765fb681bb4b5fe869db84b76d2452a731879209973385b496982cd
                                                                                        • Opcode Fuzzy Hash: 8e9484d15c2f934bed8dcb9c9ed18727f40d96ccb74a1cc5d5dcc6f258a54efe
                                                                                        • Instruction Fuzzy Hash: A2413C72900218AFDB10DBA4CD96FEEBBB9EF09700F105059FA55B7181DB706E45CBA1
                                                                                        Function 0069172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe,00000104), ref: 00691769
                                                                                        • _free.LIBCMT ref: 00691834
                                                                                        • _free.LIBCMT ref: 0069183E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$FileModuleName
                                                                                        • String ID: C:\Users\user\Desktop\ORDER ENQIRY #093727664.exe
                                                                                        • API String ID: 2506810119-701561027
                                                                                        • Opcode ID: d23a0d2acd89e008bf01dc4f4f85a0e477483f5562045869945b4671d30c3ab7
                                                                                        • Instruction ID: c2ecd30027a86c3dac7bb951232ee080dc5d4f30b63c03141bd14c97b2303d05
                                                                                        • Opcode Fuzzy Hash: d23a0d2acd89e008bf01dc4f4f85a0e477483f5562045869945b4671d30c3ab7
                                                                                        • Instruction Fuzzy Hash: 5F31A271A0020AABDF21DB999981DDEBBFEEB86310B60416AF804DB711D6704E41DB94
                                                                                        Function 006CC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006CC306
                                                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 006CC34C
                                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00731990,00C84D10), ref: 006CC395
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Delete$InfoItem
                                                                                        • String ID: 0
                                                                                        • API String ID: 135850232-4108050209
                                                                                        • Opcode ID: 14a936f5e0a7bd6dbc7aaa75cafcc19a57ad27ea535ff81289f2011f8e328d01
                                                                                        • Instruction ID: aefcea0b73ae81e45ddf81d9a2dee33b0a584ffded06209dc4f679b748cce4d4
                                                                                        • Opcode Fuzzy Hash: 14a936f5e0a7bd6dbc7aaa75cafcc19a57ad27ea535ff81289f2011f8e328d01
                                                                                        • Instruction Fuzzy Hash: 54419F712043419FD720DF24E845F6ABBEAEF85320F04861EF8A9D7391D730A905CB66
                                                                                        Function 006F4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006FCC08,00000000,?,?,?,?), ref: 006F44AA
                                                                                        • GetWindowLongW.USER32 ref: 006F44C7
                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 006F44D7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long
                                                                                        • String ID: SysTreeView32
                                                                                        • API String ID: 847901565-1698111956
                                                                                        • Opcode ID: b61373041d98bc38f95e1b7d58c70a76ea5f250d5f103558db8cfc2e526e57d1
                                                                                        • Instruction ID: 8149b8d5b26166440d41d511f4cd24b76ab0e2d5c19a4ece6383bfc354da60df
                                                                                        • Opcode Fuzzy Hash: b61373041d98bc38f95e1b7d58c70a76ea5f250d5f103558db8cfc2e526e57d1
                                                                                        • Instruction Fuzzy Hash: 79319031214609AFDB209E38DC45BEB77AAEB09334F205719FA75E22D0DB74EC519B50
                                                                                        Function 006C6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysReAllocString.OLEAUT32(?,?), ref: 006C6EED
                                                                                        • VariantCopyInd.OLEAUT32(?,?), ref: 006C6F08
                                                                                        • VariantClear.OLEAUT32(?), ref: 006C6F12
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$AllocClearCopyString
                                                                                        • String ID: *jl
                                                                                        • API String ID: 2173805711-294499450
                                                                                        • Opcode ID: 2600d33f1fdaeeeced98af0776228d4873245fbbe9d163a9a5075ee79c7205d7
                                                                                        • Instruction ID: c888b0098fee8226719c15fec6c54a72063c3ef5dd86c23a6294825598f4dbc4
                                                                                        • Opcode Fuzzy Hash: 2600d33f1fdaeeeced98af0776228d4873245fbbe9d163a9a5075ee79c7205d7
                                                                                        • Instruction Fuzzy Hash: A9318171604245DBCB05AF65E851EBD37B7EF8A300B10049EFA228B2B1C7749952DB98
                                                                                        Function 006E304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006E335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,006E3077,?,?), ref: 006E3378
                                                                                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006E307A
                                                                                        • _wcslen.LIBCMT ref: 006E309B
                                                                                        • htons.WSOCK32(00000000,?,?,00000000), ref: 006E3106
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                        • String ID: 255.255.255.255
                                                                                        • API String ID: 946324512-2422070025
                                                                                        • Opcode ID: 66d04f3cfd990ba09ebeaaf19e39e462481a4d68eadb26b97dd6e07c23316bf6
                                                                                        • Instruction ID: fc56ebfb2a7589cbcf9103f1ae68ceed2d2f9f8819d34b76cb0dfd2150f86176
                                                                                        • Opcode Fuzzy Hash: 66d04f3cfd990ba09ebeaaf19e39e462481a4d68eadb26b97dd6e07c23316bf6
                                                                                        • Instruction Fuzzy Hash: 8431E1352013959FCB20CF2AC589EEA77E2EF54318F248059E8158F392CB32EE45C760
                                                                                        Function 006F4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 006F4705
                                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 006F4713
                                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 006F471A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$DestroyWindow
                                                                                        • String ID: msctls_updown32
                                                                                        • API String ID: 4014797782-2298589950
                                                                                        • Opcode ID: dd8db91482bf15385098504885b77fd1d8030fed6440d43fdd0339c66f4b18b9
                                                                                        • Instruction ID: 6f2ceb2bed01fb9add76cbf76b171640eea11c0458f8da8370f7575d6c9a3b56
                                                                                        • Opcode Fuzzy Hash: dd8db91482bf15385098504885b77fd1d8030fed6440d43fdd0339c66f4b18b9
                                                                                        • Instruction Fuzzy Hash: E5213EB5604209AFEB10EF64DC91DB737AEEF9A3A8B050159FA009B351CB75EC11CA64
                                                                                        Function 006C95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen
                                                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                        • API String ID: 176396367-2734436370
                                                                                        • Opcode ID: 0fd9491e8bb4fdff443056081c4e9e3d559ad22cdab4fb9c30db62ded95f1f44
                                                                                        • Instruction ID: 0a0f3ed6e395cd097cf9b562d3e1244576b4cc271c383dbad648c29df56416ba
                                                                                        • Opcode Fuzzy Hash: 0fd9491e8bb4fdff443056081c4e9e3d559ad22cdab4fb9c30db62ded95f1f44
                                                                                        • Instruction Fuzzy Hash: AB21383220411166E331BB25DC0AFF7739BEF55314F50402EFA4997282EB619D42C3B9
                                                                                        Function 006F37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006F3840
                                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006F3850
                                                                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006F3876
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$MoveWindow
                                                                                        • String ID: Listbox
                                                                                        • API String ID: 3315199576-2633736733
                                                                                        • Opcode ID: 58cbf74f7623dc02c4b755a266bf9477d34724be8cc216ceb6cfb336d13505f7
                                                                                        • Instruction ID: 94b6ef4b2457c13e65736fa01c74b8702c6bee6d013ab6adb9d873d0a5a422d5
                                                                                        • Opcode Fuzzy Hash: 58cbf74f7623dc02c4b755a266bf9477d34724be8cc216ceb6cfb336d13505f7
                                                                                        • Instruction Fuzzy Hash: 9921B072610228BBEB119F54DC41EFB376BEF897A0F108124FA109B290C675DC52C7A0
                                                                                        Function 006D49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 006D4A08
                                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006D4A5C
                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,006FCC08), ref: 006D4AD0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$InformationVolume
                                                                                        • String ID: %lu
                                                                                        • API String ID: 2507767853-685833217
                                                                                        • Opcode ID: 13303c4634f25c36fc687926a1e075d659ebba4f7ecf7853f1455fdf8c72e7e8
                                                                                        • Instruction ID: c20e997bf525442af4c7b10d1fac0ec0ed1442108410271aeff5d3967329b7e3
                                                                                        • Opcode Fuzzy Hash: 13303c4634f25c36fc687926a1e075d659ebba4f7ecf7853f1455fdf8c72e7e8
                                                                                        • Instruction Fuzzy Hash: B9318E74A00108AFDB10DF54C981EAA7BFAEF08318F1480A9E809DB352DB71EE45CB61
                                                                                        Function 006F41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006F424F
                                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006F4264
                                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006F4271
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: msctls_trackbar32
                                                                                        • API String ID: 3850602802-1010561917
                                                                                        • Opcode ID: 361c4d0e5be2370e2c76972160e02283f905b27fb47623bb4db9216c42bf86f1
                                                                                        • Instruction ID: 12327a5b80229cf6fc12dd4581ab8d36ec408e3e3f432ef645d27dc0f5adb83d
                                                                                        • Opcode Fuzzy Hash: 361c4d0e5be2370e2c76972160e02283f905b27fb47623bb4db9216c42bf86f1
                                                                                        • Instruction Fuzzy Hash: 2811E031240248BEEF209F28CC06FFB3BAEEF85B64F010528FA55E21A0D671D811DB24
                                                                                        Function 006C2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00666B57: _wcslen.LIBCMT ref: 00666B6A
                                                                                          • Part of subcall function 006C2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 006C2DC5
                                                                                          • Part of subcall function 006C2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 006C2DD6
                                                                                          • Part of subcall function 006C2DA7: GetCurrentThreadId.KERNEL32 ref: 006C2DDD
                                                                                          • Part of subcall function 006C2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 006C2DE4
                                                                                        • GetFocus.USER32 ref: 006C2F78
                                                                                          • Part of subcall function 006C2DEE: GetParent.USER32(00000000), ref: 006C2DF9
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 006C2FC3
                                                                                        • EnumChildWindows.USER32(?,006C303B), ref: 006C2FEB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                        • String ID: %s%d
                                                                                        • API String ID: 1272988791-1110647743
                                                                                        • Opcode ID: 026016abe38ffb30f8987efb23e84f867504df3beb06ee075fdf2cce4cc7c0c6
                                                                                        • Instruction ID: 46c6e65f1fb55847c6484c2a83567034ea6f0540d8c02ee5ebff964930a88a34
                                                                                        • Opcode Fuzzy Hash: 026016abe38ffb30f8987efb23e84f867504df3beb06ee075fdf2cce4cc7c0c6
                                                                                        • Instruction Fuzzy Hash: 5611AE71200219ABCF806F60DC96FFD376BEF94314F04807DF9099B292DE70A9498B60
                                                                                        Function 006F5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006F58C1
                                                                                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006F58EE
                                                                                        • DrawMenuBar.USER32(?), ref: 006F58FD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$InfoItem$Draw
                                                                                        • String ID: 0
                                                                                        • API String ID: 3227129158-4108050209
                                                                                        • Opcode ID: cffe55471ece7ea647d4b6fdd907323833ae7be71938b93395b00cb35a52aaae
                                                                                        • Instruction ID: a5226364936898e7c4ea578e8f69039e16f66f7609a0ecc6d3e40aa6019a27c8
                                                                                        • Opcode Fuzzy Hash: cffe55471ece7ea647d4b6fdd907323833ae7be71938b93395b00cb35a52aaae
                                                                                        • Instruction Fuzzy Hash: 3F015B3150025CEEDB619F21DC44BBEBBB6FF45360F10809AEA4AD6251DB708A95EF21
                                                                                        Function 006BD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 006BD3BF
                                                                                        • FreeLibrary.KERNEL32 ref: 006BD3E5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressFreeLibraryProc
                                                                                        • String ID: GetSystemWow64DirectoryW$X64
                                                                                        • API String ID: 3013587201-2590602151
                                                                                        • Opcode ID: 3289b1074e8af29cac5bf2a0d4fa9b9978e6804b9705eb155d4fcb6cc99d8a53
                                                                                        • Instruction ID: c79dcbd2ccb94b1c68aad9dce5954fbbc52bb61eee7fea097b947426ca7f8ae9
                                                                                        • Opcode Fuzzy Hash: 3289b1074e8af29cac5bf2a0d4fa9b9978e6804b9705eb155d4fcb6cc99d8a53
                                                                                        • Instruction Fuzzy Hash: EEF055E2802A659BD3314B208D24DF93723AF01B01B589128EA02E920AF734CEC98382
                                                                                        Function 006C007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 84750527477944493f8bf01c9daae847e10f8d9017c45be67609b5519b661d83
                                                                                        • Instruction ID: 9aeabdd0f48f909ceece9e81d223e041b3289d88158f9b72cfd99d38a4921aad
                                                                                        • Opcode Fuzzy Hash: 84750527477944493f8bf01c9daae847e10f8d9017c45be67609b5519b661d83
                                                                                        • Instruction Fuzzy Hash: 71C12775A0021AEFEB14DFA4C894FBAB7B6FF48704F248598E505AB251D731EE41CB90
                                                                                        Function 006E342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInitInitializeUninitialize
                                                                                        • String ID:
                                                                                        • API String ID: 1998397398-0
                                                                                        • Opcode ID: 872470859fe7236b347f04910610edd6ab94b0e05c21ed5c98fa7d6b27436a67
                                                                                        • Instruction ID: 906ae118a4fe342e7e56a1686b5f34089b77f62b878312fb126a725d06bbd5aa
                                                                                        • Opcode Fuzzy Hash: 872470859fe7236b347f04910610edd6ab94b0e05c21ed5c98fa7d6b27436a67
                                                                                        • Instruction Fuzzy Hash: 03A159756143109FCB50DF29C485A6AB7E6FF88724F04885DF98A9B362DB30EE01CB95
                                                                                        Function 006C0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006FFC08,?), ref: 006C05F0
                                                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006FFC08,?), ref: 006C0608
                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,006FCC40,000000FF,?,00000000,00000800,00000000,?,006FFC08,?), ref: 006C062D
                                                                                        • _memcmp.LIBVCRUNTIME ref: 006C064E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FromProg$FreeTask_memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 314563124-0
                                                                                        • Opcode ID: 81f23e2c1d72d0827a047c5ff35a80e8560d61b166dd55063ef98b2fa93d0fd7
                                                                                        • Instruction ID: 612b398968346f2ea6d88dea62adbf2c57289caceda0baa7f8fa81f104fabea4
                                                                                        • Opcode Fuzzy Hash: 81f23e2c1d72d0827a047c5ff35a80e8560d61b166dd55063ef98b2fa93d0fd7
                                                                                        • Instruction Fuzzy Hash: 7E81E875A00109EFDB04DF94C984EFEB7BAFF89315F204598E516AB250DB71AE06CB60
                                                                                        Function 006A1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free
                                                                                        • String ID:
                                                                                        • API String ID: 269201875-0
                                                                                        • Opcode ID: 7cf9ec97d76880e99ba58cefb448a22b62a2fbd60ea3b86c0a9264b04e7cbd53
                                                                                        • Instruction ID: 2a6bf4a7a8962ae58e607c67097e99b86da0a9f76a41507980d2bc272927bc74
                                                                                        • Opcode Fuzzy Hash: 7cf9ec97d76880e99ba58cefb448a22b62a2fbd60ea3b86c0a9264b04e7cbd53
                                                                                        • Instruction Fuzzy Hash: 43411931900114ABDF217FFD8C456AE3AEBEF4B770F140229F419DA292E6348D425BB5
                                                                                        Function 006F6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(00C8E5D0,?), ref: 006F62E2
                                                                                        • ScreenToClient.USER32(?,?), ref: 006F6315
                                                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 006F6382
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ClientMoveRectScreen
                                                                                        • String ID:
                                                                                        • API String ID: 3880355969-0
                                                                                        • Opcode ID: aab9ad404a81ddff802809d224839054cce31e69db742ec63820cc5b07fc67ef
                                                                                        • Instruction ID: 38b4cdae65a4d33a3c62ccb628393a063b508fb204af07fa4a3b0ee613543c69
                                                                                        • Opcode Fuzzy Hash: aab9ad404a81ddff802809d224839054cce31e69db742ec63820cc5b07fc67ef
                                                                                        • Instruction Fuzzy Hash: F6513975A00209EFDB10DF68D880ABE7BB6EF55360F108169F9159B390D730ED41CB90
                                                                                        Function 006E1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 006E1AFD
                                                                                        • WSAGetLastError.WSOCK32 ref: 006E1B0B
                                                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006E1B8A
                                                                                        • WSAGetLastError.WSOCK32 ref: 006E1B94
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$socket
                                                                                        • String ID:
                                                                                        • API String ID: 1881357543-0
                                                                                        • Opcode ID: 4761bf4fac1533e72f70777346dacd0927acac9f7d79b26a69a7b1e64bda0c84
                                                                                        • Instruction ID: cde5ad41d164262f1132c13ea31488d03b137e6d08151fd7c828ab62f58e9703
                                                                                        • Opcode Fuzzy Hash: 4761bf4fac1533e72f70777346dacd0927acac9f7d79b26a69a7b1e64bda0c84
                                                                                        • Instruction Fuzzy Hash: 38419E34600300AFE720AF25C886F6A77E6AB45718F54848CF95A9F3D2D672ED42CB90
                                                                                        Function 0069B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 56c848fd9346cc483e9f373c4ad868581edaccc760d084845e5fc9fa120e945b
                                                                                        • Instruction ID: adc67f79b614ba53effc2d131c591813729772d71a811dc4570e464fd515f743
                                                                                        • Opcode Fuzzy Hash: 56c848fd9346cc483e9f373c4ad868581edaccc760d084845e5fc9fa120e945b
                                                                                        • Instruction Fuzzy Hash: F8412875A00304BFDB24AF78DD41BAABBEEEF84B10F10462EF141DBA91D37199018B80
                                                                                        Function 006D56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006D5783
                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 006D57A9
                                                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006D57CE
                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006D57FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                        • String ID:
                                                                                        • API String ID: 3321077145-0
                                                                                        • Opcode ID: bf08c34a71c95ff7abb411edfa1b57bd642ed93bb82c872f6527b7ecf16b19bc
                                                                                        • Instruction ID: b838045748909bc2152813d238c494ec1f8555493ec0f2184595ccf7808dfabb
                                                                                        • Opcode Fuzzy Hash: bf08c34a71c95ff7abb411edfa1b57bd642ed93bb82c872f6527b7ecf16b19bc
                                                                                        • Instruction Fuzzy Hash: D7412939600A10DFCB11EF15C544A5EBBF3EF89324B198489E84AAB362CB31FD40CB95
                                                                                        Function 0069D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00686D71,00000000,00000000,006882D9,?,006882D9,?,00000001,00686D71,?,00000001,006882D9,006882D9), ref: 0069D910
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0069D999
                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0069D9AB
                                                                                        • __freea.LIBCMT ref: 0069D9B4
                                                                                          • Part of subcall function 00693820: RtlAllocateHeap.NTDLL(00000000,?,00731444,?,0067FDF5,?,?,0066A976,00000010,00731440,006613FC,?,006613C6,?,00661129), ref: 00693852
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                        • String ID:
                                                                                        • API String ID: 2652629310-0
                                                                                        • Opcode ID: f840179917d14db9d7bae6128c7f6aea0331a40e264ca2cc1ca5b2e7023bf402
                                                                                        • Instruction ID: d6a65b4edf08115057d0f49593150ec46f962b0f575d2cc48351045110cc43c1
                                                                                        • Opcode Fuzzy Hash: f840179917d14db9d7bae6128c7f6aea0331a40e264ca2cc1ca5b2e7023bf402
                                                                                        • Instruction Fuzzy Hash: 3131B072A0020AABDF25EF64DC41EEE7BAAEB41310B154269FC04D7291EB35CD55CB90
                                                                                        Function 006F52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 006F5352
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 006F5375
                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 006F5382
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006F53A8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$InvalidateMessageRectSend
                                                                                        • String ID:
                                                                                        • API String ID: 3340791633-0
                                                                                        • Opcode ID: 5d190f40b570f8ca9722068443ed0cac727d380326fec37654644ea47331afe1
                                                                                        • Instruction ID: ac8ffd9af27915a76884c327dbaac8f7d57ae24d0b0f9ba57a361e5b6409d595
                                                                                        • Opcode Fuzzy Hash: 5d190f40b570f8ca9722068443ed0cac727d380326fec37654644ea47331afe1
                                                                                        • Instruction Fuzzy Hash: B531B236A55A0CEFEB309B1CCC05BF877A7AB05390F584101FB12962E1E7B4AD41DB82
                                                                                        Function 006CAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 006CABF1
                                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 006CAC0D
                                                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 006CAC74
                                                                                        • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 006CACC6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                        • String ID:
                                                                                        • API String ID: 432972143-0
                                                                                        • Opcode ID: d811c424330e29029a44c3c83da405ac8e31384387b3dd0d50fb972433c3407e
                                                                                        • Instruction ID: 50d333d31fcf07799a418ee71e49cbca89b4902bfe1f81d306b70378a45a8ebb
                                                                                        • Opcode Fuzzy Hash: d811c424330e29029a44c3c83da405ac8e31384387b3dd0d50fb972433c3407e
                                                                                        • Instruction Fuzzy Hash: 77312830A4421C6FEF34CBA48C08FFA7BA7EB49328F04421EE481922D1C37489958756
                                                                                        Function 006F7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ClientToScreen.USER32(?,?), ref: 006F769A
                                                                                        • GetWindowRect.USER32(?,?), ref: 006F7710
                                                                                        • PtInRect.USER32(?,?,006F8B89), ref: 006F7720
                                                                                        • MessageBeep.USER32(00000000), ref: 006F778C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1352109105-0
                                                                                        • Opcode ID: 87d75b71eace170c11d812a2d5c0232e5a85960bf157d868886216d9f7540102
                                                                                        • Instruction ID: d4eff31e20b5015d23182fd1a68ecbd3a9d26508a11e879174d8e2a14dfbee5f
                                                                                        • Opcode Fuzzy Hash: 87d75b71eace170c11d812a2d5c0232e5a85960bf157d868886216d9f7540102
                                                                                        • Instruction Fuzzy Hash: F9417834A1925CDFDB01EF58D894EB9B7F6BB49314F1980A8EA149B361C731E942CB90
                                                                                        Function 006F16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32 ref: 006F16EB
                                                                                          • Part of subcall function 006C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006C3A57
                                                                                          • Part of subcall function 006C3A3D: GetCurrentThreadId.KERNEL32 ref: 006C3A5E
                                                                                          • Part of subcall function 006C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006C25B3), ref: 006C3A65
                                                                                        • GetCaretPos.USER32(?), ref: 006F16FF
                                                                                        • ClientToScreen.USER32(00000000,?), ref: 006F174C
                                                                                        • GetForegroundWindow.USER32 ref: 006F1752
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                        • String ID:
                                                                                        • API String ID: 2759813231-0
                                                                                        • Opcode ID: ba260ddd856f0bab8a1b0afed880ae5b889161d0cc7006dc340f3421c9e97d17
                                                                                        • Instruction ID: ba3269737e9edf2d1f57d18220c6ac8be04dd5fe5e52a78c304b3a842f7055ca
                                                                                        • Opcode Fuzzy Hash: ba260ddd856f0bab8a1b0afed880ae5b889161d0cc7006dc340f3421c9e97d17
                                                                                        • Instruction Fuzzy Hash: 47313075D00149AFC744EFA9C981DBEB7FAEF49314B50806EE415E7311D6319E45CBA0
                                                                                        Function 006CD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 006CD501
                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 006CD50F
                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 006CD52F
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 006CD5DC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 420147892-0
                                                                                        • Opcode ID: ec6706905a9ef398a75d96eedcc244c63804ba5c64decd345c5e567176ec19a9
                                                                                        • Instruction ID: 746ceb802ccc82ae5d18cd813014b8890b87c50a68c67219b9a70275a365fec1
                                                                                        • Opcode Fuzzy Hash: ec6706905a9ef398a75d96eedcc244c63804ba5c64decd345c5e567176ec19a9
                                                                                        • Instruction Fuzzy Hash: D531AF71008300AFD304EF54C881EBFBBEAEF99354F50092DF581932A1EB719948CBA2
                                                                                        Function 006F8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00679BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00679BB2
                                                                                        • GetCursorPos.USER32(?), ref: 006F9001
                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006B7711,?,?,?,?,?), ref: 006F9016
                                                                                        • GetCursorPos.USER32(?), ref: 006F905E
                                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006B7711,?,?,?), ref: 006F9094
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2864067406-0
                                                                                        • Opcode ID: 7f84a1f3ba9cb8c59e94f24b0835356f719c5c6062c63f72775187c3720f549c
                                                                                        • Instruction ID: e6040af9315eaff543f711a6baaa1bb446c7ec8df838578fb63f590ebacf5503
                                                                                        • Opcode Fuzzy Hash: 7f84a1f3ba9cb8c59e94f24b0835356f719c5c6062c63f72775187c3720f549c
                                                                                        • Instruction Fuzzy Hash: E821803560001CEFDB158F94C858FFA7BBAEB49360F044069F6054B2A1C735A991DF64
                                                                                        Function 006CD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNEL32(?,006FCB68), ref: 006CD2FB
                                                                                        • GetLastError.KERNEL32 ref: 006CD30A
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 006CD319
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,006FCB68), ref: 006CD376
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                        • String ID:
                                                                                        • API String ID: 2267087916-0
                                                                                        • Opcode ID: 4875987307b33f958e429bde0a3155e980d11710a5ba71d2b5312d35361641e7
                                                                                        • Instruction ID: 1c3fa5b81bbaae6853d8b19ce207980664a52a37545b7a5c453c72ecd088092d
                                                                                        • Opcode Fuzzy Hash: 4875987307b33f958e429bde0a3155e980d11710a5ba71d2b5312d35361641e7
                                                                                        • Instruction Fuzzy Hash: 1921A3705042059FC300DF24C9819BAB7E9EE56364F104A2EF499C73A1DB30DA46CB97
                                                                                        Function 006C1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006C102A
                                                                                          • Part of subcall function 006C1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006C1036
                                                                                          • Part of subcall function 006C1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006C1045
                                                                                          • Part of subcall function 006C1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006C104C
                                                                                          • Part of subcall function 006C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006C1062
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006C15BE
                                                                                        • _memcmp.LIBVCRUNTIME ref: 006C15E1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006C1617
                                                                                        • HeapFree.KERNEL32(00000000), ref: 006C161E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 1592001646-0
                                                                                        • Opcode ID: 52937b83e1b2822910ebd148066220fd132a5738f2509d58f328931388d02580
                                                                                        • Instruction ID: 4f7469fe0c6707ae66a79130752dc373a4c991f32aa3a44968a1a6853da471a8
                                                                                        • Opcode Fuzzy Hash: 52937b83e1b2822910ebd148066220fd132a5738f2509d58f328931388d02580
                                                                                        • Instruction Fuzzy Hash: 9A214A71E00109AFDB10DFA5C945FFEB7BAEF46354F184459E441AB242E731EA05DBA0
                                                                                        Function 006F2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 006F280A
                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 006F2824
                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 006F2832
                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006F2840
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$AttributesLayered
                                                                                        • String ID:
                                                                                        • API String ID: 2169480361-0
                                                                                        • Opcode ID: 83b39f81736ba38344f68feb377be0d63e41aba9c0ec7a4ec6694393ad867654
                                                                                        • Instruction ID: b5e3965828d64fc45ece91f88dcf59f1ea1c082322dfbfc31d7ded719f7d416a
                                                                                        • Opcode Fuzzy Hash: 83b39f81736ba38344f68feb377be0d63e41aba9c0ec7a4ec6694393ad867654
                                                                                        • Instruction Fuzzy Hash: 8C21A13120551AAFD7149B24C865FBA7B9BAF85324F14815CF526CB6E2C771FC82CB90
                                                                                        Function 006C78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 006C8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,006C790A,?,000000FF,?,006C8754,00000000,?,0000001C,?,?), ref: 006C8D8C
                                                                                          • Part of subcall function 006C8D7D: lstrcpyW.KERNEL32(00000000,?,?,006C790A,?,000000FF,?,006C8754,00000000,?,0000001C,?,?,00000000), ref: 006C8DB2
                                                                                          • Part of subcall function 006C8D7D: lstrcmpiW.KERNEL32(00000000,?,006C790A,?,000000FF,?,006C8754,00000000,?,0000001C,?,?), ref: 006C8DE3
                                                                                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,006C8754,00000000,?,0000001C,?,?,00000000), ref: 006C7923
                                                                                        • lstrcpyW.KERNEL32(00000000,?,?,006C8754,00000000,?,0000001C,?,?,00000000), ref: 006C7949
                                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,006C8754,00000000,?,0000001C,?,?,00000000), ref: 006C7984
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                                        • String ID: cdecl
                                                                                        • API String ID: 4031866154-3896280584
                                                                                        • Opcode ID: 8e42ef090cb63db07c7800641ef910b161a0d14ab494e7f6dd8ced50175cd8e4
                                                                                        • Instruction ID: 868ca95b132905e1f37431ee750ea47c23880631eaa9e6d27de32ed3c089775b
                                                                                        • Opcode Fuzzy Hash: 8e42ef090cb63db07c7800641ef910b161a0d14ab494e7f6dd8ced50175cd8e4
                                                                                        • Instruction Fuzzy Hash: A211D63A200205AFCB259F34D845EBA77A6FF45360B50402EF946C7364EB319811CBA5
                                                                                        Function 006F5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 006F56BB
                                                                                        • _wcslen.LIBCMT ref: 006F56CD
                                                                                        • _wcslen.LIBCMT ref: 006F56D8
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 006F5816
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 455545452-0
                                                                                        • Opcode ID: c82984416222ddb65b3a2d7da63d6f570917b8ca95ddb2597140b2c9ff9740e1
                                                                                        • Instruction ID: 05ec29191385f39a95881baf0110d7447b0c5ddcb58af213c3f364d09e1766b6
                                                                                        • Opcode Fuzzy Hash: c82984416222ddb65b3a2d7da63d6f570917b8ca95ddb2597140b2c9ff9740e1
                                                                                        • Instruction Fuzzy Hash: E011B17160061D96DF209F618C85AFE77ADAF11760B50812AFB26D6185EBB08E80CB64
                                                                                        Function 006C1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 006C1A47
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006C1A59
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006C1A6F
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006C1A8A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: feb51b49c762f1060f4c3686be3ad912065508a7fb43b2b9ed0789f6e5b22846
                                                                                        • Instruction ID: fdd6e5eb2fc7c3adfbcb41f41b3f6a70ca5ef9ae2d5ece28eef458080a68a4ec
                                                                                        • Opcode Fuzzy Hash: feb51b49c762f1060f4c3686be3ad912065508a7fb43b2b9ed0789f6e5b22846
                                                                                        • Instruction Fuzzy Hash: 0011393AD01219FFEB10DBE4CD85FADBB79EB09750F200096EA00BB290D6716E50DB94
                                                                                        Function 006CE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 006CE1FD
                                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 006CE230
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006CE246
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006CE24D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                        • String ID:
                                                                                        • API String ID: 2880819207-0
                                                                                        • Opcode ID: 2a78de3ca53f3d822fcddcdfcfef4867a36a5f7f571a5a03eb909729eccc366d
                                                                                        • Instruction ID: 8abd6787e83b23f93e4f41611b1edabf169c20f5c7f11be7e9cd3a131a85d68f
                                                                                        • Opcode Fuzzy Hash: 2a78de3ca53f3d822fcddcdfcfef4867a36a5f7f571a5a03eb909729eccc366d
                                                                                        • Instruction Fuzzy Hash: 1C11C876904258BBD7019BA89C09FBE7FBEDB45321F048259F924D3291D6798A0487A0
                                                                                        Function 0068D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateThread.KERNEL32(00000000,?,0068CFF9,00000000,00000004,00000000), ref: 0068D218
                                                                                        • GetLastError.KERNEL32 ref: 0068D224
                                                                                        • __dosmaperr.LIBCMT ref: 0068D22B
                                                                                        • ResumeThread.KERNEL32(00000000), ref: 0068D249
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                        • String ID:
                                                                                        • API String ID: 173952441-0
                                                                                        • Opcode ID: 7414f80f82643b4e064905e54877f5d059bbb0c0c3c4db5352fa4e6c5a379d95
                                                                                        • Instruction ID: 73a21a24c520aafb193865935860caaeaf310d3aefd28d0d89bb7014321a248c
                                                                                        • Opcode Fuzzy Hash: 7414f80f82643b4e064905e54877f5d059bbb0c0c3c4db5352fa4e6c5a379d95
                                                                                        • Instruction Fuzzy Hash: 5D019236805208BBDB217BA5DC19BAE7B6BEF81771F104319FA25961E0DB718A01C7B0
                                                                                        Function 0066600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0066604C
                                                                                        • GetStockObject.GDI32(00000011), ref: 00666060
                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0066606A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateMessageObjectSendStockWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3970641297-0
                                                                                        • Opcode ID: c9f18e4b4c6c946d04fcb6d6d92f73b476582c3bbcec5c1834691c46803a3f91
                                                                                        • Instruction ID: 3d3fe28e4c78bae15cb1e8790eef941b9df9e28ef504a09602d01897867b9425
                                                                                        • Opcode Fuzzy Hash: c9f18e4b4c6c946d04fcb6d6d92f73b476582c3bbcec5c1834691c46803a3f91
                                                                                        • Instruction Fuzzy Hash: 67116D72501548BFEF129FA4ED54EEABF6EEF093A4F040225FA1552120D732AC60DFA0
                                                                                        Function 00683B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00683B56
                                                                                          • Part of subcall function 00683AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00683AD2
                                                                                          • Part of subcall function 00683AA3: ___AdjustPointer.LIBCMT ref: 00683AED
                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00683B6B
                                                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00683B7C
                                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 00683BA4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                        • String ID:
                                                                                        • API String ID: 737400349-0
                                                                                        • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                        • Instruction ID: 06796609d08f9e3989d9c55b4213e201e96fac7008e8b07aacad9e4638298424
                                                                                        • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                        • Instruction Fuzzy Hash: 57014C72100149BBDF127E95CC42EEB3F6EEF58B54F044218FE4866221D732E961DBA4
                                                                                        Function 00693073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006613C6,00000000,00000000,?,0069301A,006613C6,00000000,00000000,00000000,?,0069328B,00000006,FlsSetValue), ref: 006930A5
                                                                                        • GetLastError.KERNEL32(?,0069301A,006613C6,00000000,00000000,00000000,?,0069328B,00000006,FlsSetValue,00702290,FlsSetValue,00000000,00000364,?,00692E46), ref: 006930B1
                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0069301A,006613C6,00000000,00000000,00000000,?,0069328B,00000006,FlsSetValue,00702290,FlsSetValue,00000000), ref: 006930BF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 3177248105-0
                                                                                        • Opcode ID: fc3917ec54919a54c103f9e2f9e264d2adf958e82f95698f443054dc6e103f6a
                                                                                        • Instruction ID: 9a128aeb3c148698b84229aabacaf0ebdcbcdd48e1ce37f285f72c47d80cda9d
                                                                                        • Opcode Fuzzy Hash: fc3917ec54919a54c103f9e2f9e264d2adf958e82f95698f443054dc6e103f6a
                                                                                        • Instruction Fuzzy Hash: E901D432301336ABDF314B789C449A77B9EAF05BB1B114620F915E3740C721DA05C6E0
                                                                                        Function 006C7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 006C747F
                                                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006C7497
                                                                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006C74AC
                                                                                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006C74CA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Type$Register$FileLoadModuleNameUser
                                                                                        • String ID:
                                                                                        • API String ID: 1352324309-0
                                                                                        • Opcode ID: 4c7065ba508d3fe33392552db219cb3232a52d8ed22ba39c9ac225f2ca3b37dc
                                                                                        • Instruction ID: 6a1e32710212ec2a0bcc270771d13d54e90fbb7ffdfff8c90f16f1a7bd10f11e
                                                                                        • Opcode Fuzzy Hash: 4c7065ba508d3fe33392552db219cb3232a52d8ed22ba39c9ac225f2ca3b37dc
                                                                                        • Instruction Fuzzy Hash: 881179B1205318ABE720CF14DD09FA2BBFAEB00B10F10856DA626D6191D7B0E904DFA0
                                                                                        Function 006CB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,006CACD3,?,00008000), ref: 006CB0C4
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,006CACD3,?,00008000), ref: 006CB0E9
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,006CACD3,?,00008000), ref: 006CB0F3
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,006CACD3,?,00008000), ref: 006CB126
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CounterPerformanceQuerySleep
                                                                                        • String ID:
                                                                                        • API String ID: 2875609808-0
                                                                                        • Opcode ID: dff68d0174026f8c459f81ca9923759caefc74c25d99895baa9f1401fd294755
                                                                                        • Instruction ID: d0f50aef6a8f5429a1c72644070c1176c18d10256dc9177fd4d8ff5c4913a350
                                                                                        • Opcode Fuzzy Hash: dff68d0174026f8c459f81ca9923759caefc74c25d99895baa9f1401fd294755
                                                                                        • Instruction Fuzzy Hash: 4D112731D0152CE7CF00AFA4E95ABFEBB79FF0A721F105089D941B2281CB305A61CB56
                                                                                        Function 006C2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 006C2DC5
                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 006C2DD6
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 006C2DDD
                                                                                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 006C2DE4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2710830443-0
                                                                                        • Opcode ID: f9d30b501b24a700fe3f7ccb6d006d048e10a7d2a3074c77a05a8f1400816454
                                                                                        • Instruction ID: e9cec35e853ac2a5ea67a547017db0edadd6bf0218c11b8edc8663ed19afbd8d
                                                                                        • Opcode Fuzzy Hash: f9d30b501b24a700fe3f7ccb6d006d048e10a7d2a3074c77a05a8f1400816454
                                                                                        • Instruction Fuzzy Hash: 32E092711052287BD7201B729D0DFFB7E6EEF53BB1F001019F506D10809AA0D841D6B0
                                                                                        Function 006F8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00679639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00679693
                                                                                          • Part of subcall function 00679639: SelectObject.GDI32(?,00000000), ref: 006796A2
                                                                                          • Part of subcall function 00679639: BeginPath.GDI32(?), ref: 006796B9
                                                                                          • Part of subcall function 00679639: SelectObject.GDI32(?,00000000), ref: 006796E2
                                                                                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 006F8887
                                                                                        • LineTo.GDI32(?,?,?), ref: 006F8894
                                                                                        • EndPath.GDI32(?), ref: 006F88A4
                                                                                        • StrokePath.GDI32(?), ref: 006F88B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                        • String ID:
                                                                                        • API String ID: 1539411459-0
                                                                                        • Opcode ID: 01a5d5ca4ab9ed6111c351101aa8b4fca1f5a5580df3b7055b753fe2b5599cfe
                                                                                        • Instruction ID: f5836445a0f3279d372a9d83ea00b8aafb6734bb410a7115545c82b1a68aba7e
                                                                                        • Opcode Fuzzy Hash: 01a5d5ca4ab9ed6111c351101aa8b4fca1f5a5580df3b7055b753fe2b5599cfe
                                                                                        • Instruction Fuzzy Hash: EFF09A36001258BAEB125F94AD09FEA3F5AAF06320F408000FA11610E1CB791521CBA9
                                                                                        Function 006798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000008), ref: 006798CC
                                                                                        • SetTextColor.GDI32(?,?), ref: 006798D6
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 006798E9
                                                                                        • GetStockObject.GDI32(00000005), ref: 006798F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$ModeObjectStockText
                                                                                        • String ID:
                                                                                        • API String ID: 4037423528-0
                                                                                        • Opcode ID: 81a33557d867f6e34c2af399cfe3af907c92b4a67ece10c3e4efb89c7ccf067a
                                                                                        • Instruction ID: 34b90baec700feee2062b07f7310956f455495aeef5aeea6c68f55e978e660e6
                                                                                        • Opcode Fuzzy Hash: 81a33557d867f6e34c2af399cfe3af907c92b4a67ece10c3e4efb89c7ccf067a
                                                                                        • Instruction Fuzzy Hash: 6BE06531244244AADB215F78AD09BF83F52EB52336F148219F6F9581E1C7714650DB10
                                                                                        Function 006C162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThread.KERNEL32 ref: 006C1634
                                                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,006C11D9), ref: 006C163B
                                                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006C11D9), ref: 006C1648
                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,006C11D9), ref: 006C164F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentOpenProcessThreadToken
                                                                                        • String ID:
                                                                                        • API String ID: 3974789173-0
                                                                                        • Opcode ID: e311f7892d8a67dd1a1062c4921ba6487ad8777f6ba6599148212f6728cc6676
                                                                                        • Instruction ID: a37ef2bf300a9e77fba8e9fb3f260806e716effdaab1ebbedd88f86869fdb4be
                                                                                        • Opcode Fuzzy Hash: e311f7892d8a67dd1a1062c4921ba6487ad8777f6ba6599148212f6728cc6676
                                                                                        • Instruction Fuzzy Hash: 61E08C32602215EBD7201FB5AF0EFA63B7EEF467A2F148808F245CD081EA358445CB60
                                                                                        Function 006BD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDesktopWindow.USER32 ref: 006BD858
                                                                                        • GetDC.USER32(00000000), ref: 006BD862
                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006BD882
                                                                                        • ReleaseDC.USER32(?), ref: 006BD8A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2889604237-0
                                                                                        • Opcode ID: 257e8d845bc0f14f7720b1a45bf14c8ec85feb8fd26847671b7d653709fa8e80
                                                                                        • Instruction ID: c3679fe6db0f7e953686256ac10b136758e1e527de0a6db4a04928ad45c2921a
                                                                                        • Opcode Fuzzy Hash: 257e8d845bc0f14f7720b1a45bf14c8ec85feb8fd26847671b7d653709fa8e80
                                                                                        • Instruction Fuzzy Hash: F9E01AB0804208EFCB419FA4DA08A7DBBB3FF08321F10A409E846E7350CB394942EF40
                                                                                        Function 006BD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDesktopWindow.USER32 ref: 006BD86C
                                                                                        • GetDC.USER32(00000000), ref: 006BD876
                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006BD882
                                                                                        • ReleaseDC.USER32(?), ref: 006BD8A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2889604237-0
                                                                                        • Opcode ID: b1c42bc5a78b5cc23937883bdf7f8b37a50207ed4b5ef83d6c4ff36a18ee56f5
                                                                                        • Instruction ID: a7d461f01c465ad81ef6f68bf053c39e9b8889e3b99de4453463529b45a1a448
                                                                                        • Opcode Fuzzy Hash: b1c42bc5a78b5cc23937883bdf7f8b37a50207ed4b5ef83d6c4ff36a18ee56f5
                                                                                        • Instruction Fuzzy Hash: B1E01A70804208DFCB409FA4D90867DBBB3BF08320B10A408E84AE7350CB395902DF40
                                                                                        Function 006D4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00667620: _wcslen.LIBCMT ref: 00667625
                                                                                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 006D4ED4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Connection_wcslen
                                                                                        • String ID: *$LPT
                                                                                        • API String ID: 1725874428-3443410124
                                                                                        • Opcode ID: a6c88315cd1c5bcd12ce0c5926dd840c7aacf5c13e6bc294cc1a64ef39e7fba5
                                                                                        • Instruction ID: 9e5b52d2343a30175b2d94ee2c911f3a0737dd5abaf907b86f9548a47ac01d9f
                                                                                        • Opcode Fuzzy Hash: a6c88315cd1c5bcd12ce0c5926dd840c7aacf5c13e6bc294cc1a64ef39e7fba5
                                                                                        • Instruction Fuzzy Hash: 5E914075E042449FCB14DF54C484EA9BBF6BF84304F15809AE40A9F362DB35ED85CB91
                                                                                        Function 0068E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 0068E30D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorHandling__start
                                                                                        • String ID: pow
                                                                                        • API String ID: 3213639722-2276729525
                                                                                        • Opcode ID: 1a5731125ea1c9361f34307ebd734cf51329e7c6c151e9f3f87d18b38b4da156
                                                                                        • Instruction ID: bbb87fb359b733b0043b9cd37a1c5cd1458f05a291f3c0b2010b2e742d0bcb6f
                                                                                        • Opcode Fuzzy Hash: 1a5731125ea1c9361f34307ebd734cf51329e7c6c151e9f3f87d18b38b4da156
                                                                                        • Instruction Fuzzy Hash: AD513B61A2C202D7CF157714C9053F93BAAAF40740F348B59E095827E9DF368D969B8A
                                                                                        Function 006E7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(006B569E,00000000,?,006FCC08,?,00000000,00000000), ref: 006E78DD
                                                                                          • Part of subcall function 00666B57: _wcslen.LIBCMT ref: 00666B6A
                                                                                        • CharUpperBuffW.USER32(006B569E,00000000,?,006FCC08,00000000,?,00000000,00000000), ref: 006E783B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper$_wcslen
                                                                                        • String ID: <sr
                                                                                        • API String ID: 3544283678-1747582915
                                                                                        • Opcode ID: b27efce6f68fba3594833b103dcb130026c0054e7736e8f35ec9d0b591384351
                                                                                        • Instruction ID: ff697a78720a7e65cd515a227a1b209c27337d5f4dbd3b0855e2d035d54e82e9
                                                                                        • Opcode Fuzzy Hash: b27efce6f68fba3594833b103dcb130026c0054e7736e8f35ec9d0b591384351
                                                                                        • Instruction Fuzzy Hash: 8B617F72914268EACF44EBE5DC91DFEB37ABF24300B544129F542B3292EF345A05DBA4
                                                                                        Function 0067E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #
                                                                                        • API String ID: 0-1885708031
                                                                                        • Opcode ID: b5293c387dd2b963c9421772ec668f96c2cae31d9bcd085fbb354bd0f4e62643
                                                                                        • Instruction ID: 3573110bf16736fa187bc0b40e699098e845bf764381b2abb37f3070d8314fd7
                                                                                        • Opcode Fuzzy Hash: b5293c387dd2b963c9421772ec668f96c2cae31d9bcd085fbb354bd0f4e62643
                                                                                        • Instruction Fuzzy Hash: 425166B5504246EFDB14DF68C0406FA7BAAEF19310F248069EC919B3D1DA369E87CB90
                                                                                        Function 0067F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000), ref: 0067F2A2
                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0067F2BB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemorySleepStatus
                                                                                        • String ID: @
                                                                                        • API String ID: 2783356886-2766056989
                                                                                        • Opcode ID: 4722e77a45e94b86f5db1aa9490b8f1b6e8b0db2178a6aa1076cfb20de41a329
                                                                                        • Instruction ID: 502626d3de79ba75a0eb7ddb9bd99670fdaa646508f4a891a13442e53b0720c3
                                                                                        • Opcode Fuzzy Hash: 4722e77a45e94b86f5db1aa9490b8f1b6e8b0db2178a6aa1076cfb20de41a329
                                                                                        • Instruction Fuzzy Hash: A95176714187849BD320AF50DC86BABBBF9FF84314F81884CF2D9410A5EB719529CB6B
                                                                                        Function 006E5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006E57E0
                                                                                        • _wcslen.LIBCMT ref: 006E57EC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper_wcslen
                                                                                        • String ID: CALLARGARRAY
                                                                                        • API String ID: 157775604-1150593374
                                                                                        • Opcode ID: a9d33426f9eb4354f5827a2f90ccc1de10e078996d65844b39542ee72563d4e9
                                                                                        • Instruction ID: 058b7df087d1e9d4035dd5383e7872cc017e1cd1b8b1696f212951bb48caee46
                                                                                        • Opcode Fuzzy Hash: a9d33426f9eb4354f5827a2f90ccc1de10e078996d65844b39542ee72563d4e9
                                                                                        • Instruction Fuzzy Hash: D0419031A012199FCB14DFA9C8819FEBBF6EF59324F14416DE506A7391E7309D81CBA4
                                                                                        Function 006DD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 006DD130
                                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006DD13A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CrackInternet_wcslen
                                                                                        • String ID: |
                                                                                        • API String ID: 596671847-2343686810
                                                                                        • Opcode ID: 9bc440f2e6582ed948b78f9b4b8bd19d8073437162b3fa9c6f3de926f017faa5
                                                                                        • Instruction ID: 3eafa7b770bddfea7470dd77e7bcc1c29cece1f8b7b89257d42fcfe0f655fae7
                                                                                        • Opcode Fuzzy Hash: 9bc440f2e6582ed948b78f9b4b8bd19d8073437162b3fa9c6f3de926f017faa5
                                                                                        • Instruction Fuzzy Hash: 0F313E71D00209ABCF55EFA4DC85AEEBFBAFF04304F00011DF815A6265DB31AA06DBA4
                                                                                        Function 006F356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 006F3621
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006F365C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$DestroyMove
                                                                                        • String ID: static
                                                                                        • API String ID: 2139405536-2160076837
                                                                                        • Opcode ID: b7144f19def20bf44983ac5048dad0f373806a57a71b94a8c0896f2f1346b133
                                                                                        • Instruction ID: 9667d1f2a6fd30e1038d6b4a06791ccbcf13c13f0e35bcf3766138b4d702da9b
                                                                                        • Opcode Fuzzy Hash: b7144f19def20bf44983ac5048dad0f373806a57a71b94a8c0896f2f1346b133
                                                                                        • Instruction Fuzzy Hash: 1A318C71100608AEDB109F68DC81AFB73AAFF88724F00961DFAA5D7290DA31ED81D764
                                                                                        Function 006F4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 006F461F
                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006F4634
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: '
                                                                                        • API String ID: 3850602802-1997036262
                                                                                        • Opcode ID: 003bd821bd1cb28f06fcb5556552edac936be04b52d9dfb7f72204f3ff129967
                                                                                        • Instruction ID: 324f929cb2278e56bb8a66bf3cdade16963c44908be61f1adee7e98dfcf69b78
                                                                                        • Opcode Fuzzy Hash: 003bd821bd1cb28f06fcb5556552edac936be04b52d9dfb7f72204f3ff129967
                                                                                        • Instruction Fuzzy Hash: 83311874A0120D9FDB14DFA9C990BEA7BB6FF49340F14406AEA05EB751DB70A941CF90
                                                                                        Function 006F31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006F327C
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006F3287
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: Combobox
                                                                                        • API String ID: 3850602802-2096851135
                                                                                        • Opcode ID: 694183e1086649eecc9a5ffc3493edbbc32b3f08bd31452778daedeeaf0ec161
                                                                                        • Instruction ID: d043fb3154d8e6eec4ca525912716420ceaba576341b56ffa1f86486f72b63b2
                                                                                        • Opcode Fuzzy Hash: 694183e1086649eecc9a5ffc3493edbbc32b3f08bd31452778daedeeaf0ec161
                                                                                        • Instruction Fuzzy Hash: 3B11907120021C6FFF259F54DC81EFB376BEB94364F104129FA1897390D6359E519760
                                                                                        Function 006F3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0066600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0066604C
                                                                                          • Part of subcall function 0066600E: GetStockObject.GDI32(00000011), ref: 00666060
                                                                                          • Part of subcall function 0066600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0066606A
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 006F377A
                                                                                        • GetSysColor.USER32(00000012), ref: 006F3794
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                        • String ID: static
                                                                                        • API String ID: 1983116058-2160076837
                                                                                        • Opcode ID: b4a389adf8a9e7465f42f1d2df67e9ce1abfe2ca6948566ac1a71fe4f1136b77
                                                                                        • Instruction ID: 0131ff546eeb80798982fa5f3a8f5ddd9acfbe227bfb88d82af87e7ec3cae2a1
                                                                                        • Opcode Fuzzy Hash: b4a389adf8a9e7465f42f1d2df67e9ce1abfe2ca6948566ac1a71fe4f1136b77
                                                                                        • Instruction Fuzzy Hash: C61129B261021EAFDB00EFA8CD45AFA7BB9EB08314F004914FA55E2250D735E851DB50
                                                                                        Function 006DCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006DCD7D
                                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006DCDA6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$OpenOption
                                                                                        • String ID: <local>
                                                                                        • API String ID: 942729171-4266983199
                                                                                        • Opcode ID: 15087db626e66d342681ef7530799e3089c58beb4485bc7e8ef7da38e7c79f6c
                                                                                        • Instruction ID: 1449cb66f18cb6051a7dd12bcf00a6156f4eb9d9c309175e4f30e929a1fc7150
                                                                                        • Opcode Fuzzy Hash: 15087db626e66d342681ef7530799e3089c58beb4485bc7e8ef7da38e7c79f6c
                                                                                        • Instruction Fuzzy Hash: 8911C671A0563A7AD7384B668C45EF7BE6FEF527B4F004227B10983280D7749941D6F0
                                                                                        Function 006F3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 006F34AB
                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006F34BA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: LengthMessageSendTextWindow
                                                                                        • String ID: edit
                                                                                        • API String ID: 2978978980-2167791130
                                                                                        • Opcode ID: e1274e3a9ac1ed04816fcfbc1120a971a63db561fc23e680eb983a621c57c6a6
                                                                                        • Instruction ID: 908d057f0edb707704dcb2ac4752f515b451632e9cdb91c90854a540e9180481
                                                                                        • Opcode Fuzzy Hash: e1274e3a9ac1ed04816fcfbc1120a971a63db561fc23e680eb983a621c57c6a6
                                                                                        • Instruction Fuzzy Hash: 66116A7110021CAAEB128E64DC44AFA37ABEB05374F504724FA61933E0C775DC519B64
                                                                                        Function 006C6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        • CharUpperBuffW.USER32(?,?,?), ref: 006C6CB6
                                                                                        • _wcslen.LIBCMT ref: 006C6CC2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                        • String ID: STOP
                                                                                        • API String ID: 1256254125-2411985666
                                                                                        • Opcode ID: 77c63dfcd3601414b42c4f0e5aeef047072e7ec941d094615e2183419e3cd8b7
                                                                                        • Instruction ID: 0fa4dad45931f93a4dafb91c361f5f0e8020539b18b524a4f58b03a859f36ee9
                                                                                        • Opcode Fuzzy Hash: 77c63dfcd3601414b42c4f0e5aeef047072e7ec941d094615e2183419e3cd8b7
                                                                                        • Instruction Fuzzy Hash: 1F01C4326045268BCB20AFBDDC81EFF77B7EF61720710052CF86297294EA31E900C658
                                                                                        Function 006C1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                          • Part of subcall function 006C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006C3CCA
                                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 006C1C46
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 624084870-1403004172
                                                                                        • Opcode ID: 692cf4dda63f21bf1c0024015b4a05f7892d28050ab4d0c5c62d3cd93dc83125
                                                                                        • Instruction ID: c6ef4e4d4701abcd03295430812b5d5d6c53f842e51f1ff3ad561eb769821cdc
                                                                                        • Opcode Fuzzy Hash: 692cf4dda63f21bf1c0024015b4a05f7892d28050ab4d0c5c62d3cd93dc83125
                                                                                        • Instruction Fuzzy Hash: FA01A7B568111867CB08EB90CA51FFF77AEDB13340F14001DB80667282EA389E19E6B5
                                                                                        Function 006C1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                          • Part of subcall function 006C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006C3CCA
                                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 006C1CC8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 624084870-1403004172
                                                                                        • Opcode ID: 70ad7b44de460c5edfafcc225119a8b3ab0fd24e957eb5b7941ab0ef792a5287
                                                                                        • Instruction ID: f3dfa785304de182ed39d74dcc60de4f18525961f2dce3c66c4eba9366337082
                                                                                        • Opcode Fuzzy Hash: 70ad7b44de460c5edfafcc225119a8b3ab0fd24e957eb5b7941ab0ef792a5287
                                                                                        • Instruction Fuzzy Hash: 31018FB168011867CB04EBA0CA11FFE73AEDB13340B14001DB802A7282EA389E19D675
                                                                                        Function 0067A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 0067A529
                                                                                          • Part of subcall function 00669CB3: _wcslen.LIBCMT ref: 00669CBD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer_wcslen
                                                                                        • String ID: ,%s$3yk
                                                                                        • API String ID: 2551934079-1367514051
                                                                                        • Opcode ID: 79c46bfe3456f97847f9d795119ea923dc30e3f7103a542c33183961e5b99799
                                                                                        • Instruction ID: b915a2f7534704634dd5c1b4e23d9bb6da2ca1ec7da97b2df09ec53d51faa28f
                                                                                        • Opcode Fuzzy Hash: 79c46bfe3456f97847f9d795119ea923dc30e3f7103a542c33183961e5b99799
                                                                                        • Instruction Fuzzy Hash: F0017B3170061497E540F3B8D81BAAD335BDB85720F00846CF509572C3EE605E068B9F
                                                                                        Function 006F8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00733018,0073305C), ref: 006F81BF
                                                                                        • CloseHandle.KERNEL32 ref: 006F81D1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateHandleProcess
                                                                                        • String ID: \0s
                                                                                        • API String ID: 3712363035-2360154291
                                                                                        • Opcode ID: 52bf9033027427b6602c10121ba1e376d04c1e7cc8fe0c6ced307bf6042a16ea
                                                                                        • Instruction ID: 1cced3c5e1c0cbffa53e9711663da9f33cad12c0882034deafb4135d00f6b798
                                                                                        • Opcode Fuzzy Hash: 52bf9033027427b6602c10121ba1e376d04c1e7cc8fe0c6ced307bf6042a16ea
                                                                                        • Instruction Fuzzy Hash: 4FF05EF2A40314BFF3346765AC55FB73A9EDB05752F004425BB08D61A2D67E8A0497BC
                                                                                        Function 006E747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen
                                                                                        • String ID: 3, 3, 16, 1
                                                                                        • API String ID: 176396367-3042988571
                                                                                        • Opcode ID: 9a6ae8c578d556165bf7005b1f4c733c4de2694a04c92f4fedb2c8ead91c23c8
                                                                                        • Instruction ID: 96bf6aab343b444188a1361d373a9976dd25adfb046d164898ff908b2b100c43
                                                                                        • Opcode Fuzzy Hash: 9a6ae8c578d556165bf7005b1f4c733c4de2694a04c92f4fedb2c8ead91c23c8
                                                                                        • Instruction Fuzzy Hash: D5E02B022063A1509271227BADC19BF57CBCFC9750710182FF985C23AAEE94CD9193E4
                                                                                        Function 006C0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006C0B23
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message
                                                                                        • String ID: AutoIt$Error allocating memory.
                                                                                        • API String ID: 2030045667-4017498283
                                                                                        • Opcode ID: 261d2cdbb9c32a7879b84edd3300ac7ba91b0f8071e9d2158570ceb61a746868
                                                                                        • Instruction ID: 86ff2ad3b6071d3d63115475e4b148e269c46e88076fbfbca88990f016a3981c
                                                                                        • Opcode Fuzzy Hash: 261d2cdbb9c32a7879b84edd3300ac7ba91b0f8071e9d2158570ceb61a746868
                                                                                        • Instruction Fuzzy Hash: F2E04F3228931C7AD2643795BD07FD97A868F05B61F10442EFB98955C38EE2689086ED
                                                                                        Function 00680D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0067F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00680D71,?,?,?,0066100A), ref: 0067F7CE
                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,0066100A), ref: 00680D75
                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0066100A), ref: 00680D84
                                                                                        Strings
                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00680D7F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                        • API String ID: 55579361-631824599
                                                                                        • Opcode ID: 236416d752bfd11479511d12580afa144d6423c540312a51b934c6b1db25806f
                                                                                        • Instruction ID: 5dce1b37e482b5c573687c98d0a6cf35b5dec1f87dacbf58e9b09d0b36833e19
                                                                                        • Opcode Fuzzy Hash: 236416d752bfd11479511d12580afa144d6423c540312a51b934c6b1db25806f
                                                                                        • Instruction Fuzzy Hash: 71E06D702003118BE3A0AFBCE9047527BE6AF00740F008E2DE486C6751DBB5E448CB91
                                                                                        Function 0067E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 0067E3D5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer
                                                                                        • String ID: 0%s$8%s
                                                                                        • API String ID: 1385522511-4174055574
                                                                                        • Opcode ID: 1c0dd287e96a12dbd015b9010324619d7eb04e266e2d5359801f682d06bef8c2
                                                                                        • Instruction ID: 1663aee9302b4be1bf31589124d7b6f8832ad0f93dd2836b2c238b13d3e93e0f
                                                                                        • Opcode Fuzzy Hash: 1c0dd287e96a12dbd015b9010324619d7eb04e266e2d5359801f682d06bef8c2
                                                                                        • Instruction Fuzzy Hash: B4E02032408D10CBF644E718B454B883357AB0C330B1082F8E245871D3DB7B1A47874C
                                                                                        Function 006D3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 006D302F
                                                                                        • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 006D3044
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: Temp$FileNamePath
                                                                                        • String ID: aut
                                                                                        • API String ID: 3285503233-3010740371
                                                                                        • Opcode ID: 3590452964f693e0488cc5b92f5b7a024d0ba37aa43c6c189709719e339eae94
                                                                                        • Instruction ID: 95655bdee86c1587e154d112decb4e31e6ffb759d59a512c4a006d8699afb6be
                                                                                        • Opcode Fuzzy Hash: 3590452964f693e0488cc5b92f5b7a024d0ba37aa43c6c189709719e339eae94
                                                                                        • Instruction Fuzzy Hash: A2D05B7150032867DB209794AD0DFD73A6CD704760F0001517655D2091DAB49644CAD0
                                                                                        Function 006BD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: LocalTime
                                                                                        • String ID: %.3d$X64
                                                                                        • API String ID: 481472006-1077770165
                                                                                        • Opcode ID: 741c6647de700b8958433c8450c70f65dba9e0a7a355f9495e61563e0de48f9b
                                                                                        • Instruction ID: fed256f18a8f2e3f9fc485f2d6be91a15021d68596cd5ee9110ff8577b707093
                                                                                        • Opcode Fuzzy Hash: 741c6647de700b8958433c8450c70f65dba9e0a7a355f9495e61563e0de48f9b
                                                                                        • Instruction Fuzzy Hash: 4CD012E1C09158E9CB90D7E0DD45CF9B37EEB08301F508466FA0A95041F638C78AAB61
                                                                                        Function 006F2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006F236C
                                                                                        • PostMessageW.USER32(00000000), ref: 006F2373
                                                                                          • Part of subcall function 006CE97B: Sleep.KERNEL32 ref: 006CE9F3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 529655941-2988720461
                                                                                        • Opcode ID: e9c25b8aa0fbc670d850bbeaa479b10e854469c02a8f24929c24c25269dbef44
                                                                                        • Instruction ID: ffce473c223436b1d311e0fa7c83086db60f294fd3eb30568be2b419e7acca7f
                                                                                        • Opcode Fuzzy Hash: e9c25b8aa0fbc670d850bbeaa479b10e854469c02a8f24929c24c25269dbef44
                                                                                        • Instruction Fuzzy Hash: 8AD012723C53147BE7A4B770ED0FFD676269B05B20F00591A7745EA1D4C9F4B811CA58
                                                                                        Function 006F2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006F232C
                                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006F233F
                                                                                          • Part of subcall function 006CE97B: Sleep.KERNEL32 ref: 006CE9F3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1382727000.0000000000661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1382699412.0000000000660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382804463.0000000000722000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382865884.000000000072C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1382894610.0000000000734000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_660000_ORDER ENQIRY #093727664.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 529655941-2988720461
                                                                                        • Opcode ID: 908ead4a829ffc53d08a3207ff4ced3734932ba1dc0a06a6d80d067f12aa21d3
                                                                                        • Instruction ID: 923a4891786eace907370327d9adb69af47046e06a5797eee700fe300f6c4f6b
                                                                                        • Opcode Fuzzy Hash: 908ead4a829ffc53d08a3207ff4ced3734932ba1dc0a06a6d80d067f12aa21d3
                                                                                        • Instruction Fuzzy Hash: 28D01276394314B7E7A4B770ED0FFE67A269B00B20F00591A7745EA1D4C9F4A811CA54